LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-11-2019, 09:22 AM   #1
nurwanda
LQ Newbie
 
Registered: Sep 2019
Posts: 14

Rep: Reputation: Disabled
Is my browser getting hijacked?


For the past week I have been getting redirected from the duckduckgo search engine; it is my default search engine. When I type in a url, I get a "duckduckgo" page saying "these are not our extensions". Whenever I try to type in a new url, it gives me the same page; no way to "accept" the page and then use the search engine.

https://help.duckduckgo.com/add-ons/removal/

It is constantly coming up when I come online.

Is anyone else getting this? debian 10.
 
Old 09-11-2019, 12:18 PM   #2
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 1,999

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
nope
try ( from command line )
Code:
firefox --safe-mode
# Disables extensions and themes for this session.
if that is fine, it is a rogue addon, which we can remove
then work out where it came from and how to stop it coming back
 
Old 09-11-2019, 03:57 PM   #3
nurwanda
LQ Newbie
 
Registered: Sep 2019
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Firerat View Post
nope
try ( from command line )
Code:
firefox --safe-mode
# Disables extensions and themes for this session.
if that is fine, it is a rogue addon, which we can remove
then work out where it came from and how to stop it coming back
I am using chromium so I did "chromium --safe-mode", but the same thing happened once I tried a search. It was happening on my OS so I reinstalled it, but it started happening immediately on my new OS download/ install (same OS version, etc).

What is it if not something malicious? Is it possible that someone is sending this to my computer from their computer?

"Add-ons
Removing unofficial add-ons
We've recently discovered some malicious Chrome extensions, often with the word "video" in the name, are incorrectly sending searches to DuckDuckGo and Bing. Some of the names we've seen are "My Video Grid", "Video Tips", and "My Vital Video". DuckDuckGo is in no way affiliated with these extensions. However, we would like to help you resolve this issue. Below are instructions on how to remove such extensions:

Open Google Chrome.
Click on the "More" button in the top right of your browser (it looks like three vertical dots)............."

Last edited by nurwanda; 09-11-2019 at 04:02 PM.
 
Old 09-11-2019, 04:16 PM   #4
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 1,999

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
ah, ok
I don't know why I blindly assumed firefox

I don't know how you would start chromium in the --safe-mode equivalent

but it does look like you have a rogue extension installed on it


Blind longshot
Code:
mv ~/.chromium ~/.chromium-suspect
I assume the malware has not managed to infect
/usr/share/chromium/extensions

~/.chromium might not exist, it is a guess on my side

if you start chromium again and all is well then the culprit is in ~/.chromium-suspect

Code:
find ~/.chromium-suspect
will list the files in there, and we may be able to 'pick out' the malware
 
1 members found this post helpful.
Old 09-11-2019, 04:44 PM   #5
jefro
Moderator
 
Registered: Mar 2008
Posts: 19,152

Rep: Reputation: 2921Reputation: 2921Reputation: 2921Reputation: 2921Reputation: 2921Reputation: 2921Reputation: 2921Reputation: 2921Reputation: 2921Reputation: 2921Reputation: 2921
Not sure yet if it is a re-direct or hijack of some kind or simply a complaint about some extension.

This exact phrase seems to show no web answer that I can find. "these are not our extensions"
 
Old 09-11-2019, 04:57 PM   #6
nurwanda
LQ Newbie
 
Registered: Sep 2019
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jefro View Post
Not sure yet if it is a re-direct or hijack of some kind or simply a complaint about some extension.

This exact phrase seems to show no web answer that I can find. "these are not our extensions"
I use duckduckgo. Normally when I search it acts normally and takes me to the site I am asking for. Now, it just redirects back to the url above. Is there malware on the computer? When you type in that url, what do you get?
 
Old 09-11-2019, 05:02 PM   #7
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,635

Rep: Reputation: 1206Reputation: 1206Reputation: 1206Reputation: 1206Reputation: 1206Reputation: 1206Reputation: 1206Reputation: 1206Reputation: 1206
Quote:
Originally Posted by nurwanda View Post
I use duckduckgo. Normally when I search it acts normally and takes me to the site I am asking for. Now, it just redirects back to the url above. Is there malware on the computer? When you type in that url, what do you get?
I get the page you described.
I'm not sure what your question is...have you followed those directions to remove the add-ons? If not, why not?
 
Old 09-11-2019, 05:04 PM   #8
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 1,999

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
if I use duckduckgo I get what I would expect
so yes, it would appear you have a problem.

have you moved ~/.chromium yet?
is it still a problem?

Let us eliminate a rogue extension and then move on to something else if it proves not to be that.
 
Old 09-11-2019, 05:15 PM   #9
nurwanda
LQ Newbie
 
Registered: Sep 2019
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Firerat View Post
if I use duckduckgo I get what I would expect
so yes, it would appear you have a problem.

have you moved ~/.chromium yet?
is it still a problem?

Let us eliminate a rogue extension and then move on to something else if it proves not to be that.
There is an extension called "chromium pdf viewer" listed in the 'extensions tab. There is a button to 'remove' but when I press it, it doesn't work. Is there a command line for removal?

I tried your first "blindshot" command, didn't work; no such file / directory. Tried the 2nd, it was working or hanging, but I decided to restart chromium and shut all tabs.

I noticed that if I type in a specific url, it takes me to the correct page. But if i type in a search term in the url/ address bar, that's when i get the redirect. If I type in the same search term in duckduckgo's search engine "box", I don't get the problem. Before the redirects started happening over the last few weeks, when I would type something into the url bar, it didn't give me a search engine output; I think it just didn't answer the query, but no redirect.

How do i "move" `/.chromium ? You mean just type in command bash? I will do it again now. Thanks.
 
Old 09-11-2019, 05:19 PM   #10
nurwanda
LQ Newbie
 
Registered: Sep 2019
Posts: 14

Original Poster
Rep: Reputation: Disabled
Appears that PDF VIEWER is malware: https://www.virusguides.com/uninstall-pdf-viewer/
 
Old 09-11-2019, 05:22 PM   #11
nurwanda
LQ Newbie
 
Registered: Sep 2019
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Firerat View Post
if I use duckduckgo I get what I would expect
so yes, it would appear you have a problem.

have you moved ~/.chromium yet?
is it still a problem?

Let us eliminate a rogue extension and then move on to something else if it proves not to be that.
"find ~/.chromium-suspect" --- just hangs, no output
 
Old 09-11-2019, 05:24 PM   #12
nurwanda
LQ Newbie
 
Registered: Sep 2019
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by nurwanda View Post
Appears that PDF VIEWER is malware: https://www.virusguides.com/uninstall-pdf-viewer/
Another url states: "Unfortunately this also means that Chromium is often used as a browser virus."
 
Old 09-11-2019, 05:27 PM   #13
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 1,999

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
Quote:
Originally Posted by nurwanda View Post
"find ~/.chromium-suspect" --- just hangs, no output
well yeah
if you didn't succeed with moving ~/.chromium that is what I would expect.

what did you expect?
 
Old 09-11-2019, 05:31 PM   #14
nurwanda
LQ Newbie
 
Registered: Sep 2019
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Firerat View Post
well yeah
if you didn't succeed with moving ~/.chromium that is what I would expect.

what did you expect?
I'm confused about "moving" `/.chromium. I don't understand what that means.
 
Old 09-11-2019, 05:35 PM   #15
Firerat
Senior Member
 
Registered: Oct 2008
Distribution: Debian sid
Posts: 1,999

Rep: Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550Reputation: 550
stop...

you are running off doing random things
no mention of ads popping up in your OP

why do you think the PDF viewer has anything to do with it?

so, please stop, calm down, chill.

I will install chromium and find out where is stores the users extensions, my guess may have been wrong.

but please, lets do things step by step, following instructions on random FUD blog pages are not going to help
as soon as you see "download our virus scan" , close that page
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Mouse, keyboard, window getting hijacked by unknown hacker Corbee Linux - Security 26 01-15-2017 07:33 PM
hijacked browser irvken Linux - Security 2 10-06-2004 05:13 AM
hijacked my domain name budzynm Linux - Security 7 11-18-2003 09:13 PM
Help! gxine hijacked my firebird Minderbinder Linux - Software 2 11-02-2003 02:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 05:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration