Anybody out there ever encounter anything like this? When I enter the address www.ebay.com into my browser’s address bar (and I’ve done this with three different browsers, IE, Firefox and Opera), I get a page saying “The page you are looking for has been moved. If this page does not redirect you in 10 Secs, please click here.” The last two words are a hyperlink. When I click on the hyperlink, nothing happens. What gives? When I view page source, I don’t see anything terribly suspicious.
I posted the question on eBay’s chatboard, and of course got no answers. And by the way, it only seems like my home machine is affected. At work I have no problems.
I bet you’ve got a malware/virus problem.
I agree with acsenray - your browser is being hijacked.
That was the first thing that came to mind, only if I do “view source” on the page, it doesn’t seem to be sending me anywhere suspicious. (My assumption, which may be wrong, is that “view source” gives you a true look at the underlying HTML/javascript coding.) I’d think a hijack would be attempting to do something nefarious, but that doesn’t seem to be the case.
On the other hand, the slightly nonstandard flavor of the text on the page ("…in 10 Secs") gives me pause.
Can somebody give me the lowdown on how such a hijack would work? Where would the evil code live, for instance?
Spyware, or a corrupted HOSTS file, leading you to that bogus page. I’m kinda leading to trouble with HOSTS as it’s affecting three different browsers.
For the curious, urls are trivial to spoof. Here’s an example out of a real eBay phishing email. I’ve added some spaces to “break” it to prevent anyone from accidentally going to that site. (It’s been taken down by the ISP anyway.) If you hovered over the link that this was used for, it will display that first line, which certainly looks legit. Only by viewing the source and scouring through it will you find the truth. All of this gobbledygook is a mix of representing letters and numbers by their hex equivalents and using a direct IP address instead of a more human-readable name.
https://signin.ebay.com/ws/eBayISAPI.dll?
SignIn&UsingSSL=1&pUserId=&co_partnerId=2&siteid=0&ru=http%3A%2F% 2Fcgi4.ebay.com%2Fws%2FeBayISAPI.dll?MfcISAPICommand% 3dRedirectToDomain% 26DomainUrl=http%3A%2F%2F62.193.217.91% 2FeBayISAPI.php&pageType=1883
Actually, it looks like a minorly stale DNS entry.
66.135.192.87 is ebay’s ip address, which, when I type that into my browser, gives the exact error message that Sal complained about.
Ebay probably moved a server around and the change hasn’t properly propagated through the DNS network yet.
However, you were right to think that this could be a browser hijack. If a malicious program changes the “hosts” file on your system, web addresses will resolve to whatever the attacker wants them to. Here’s a page on how hosts files work. Another way that this type of hijack can be done is for attackers to manage to take control of one of the top DNS servers. There’s not much you can do about the latter possibility, but it’s worth being aware of the danger.
I bet something is happening, just not a redirect. You’ve nearly certainly got a virus or malware.
Right, but shouldn’t “view source” reveal what that something is? To the point made by gotpasswords, I don’t see a convincing-looking URL when I hover the mouse. It’s that when I look at “view source,” I don’t see anything that nefarious looking.
I’m hoping that iamthewalrus(:3= is right – certainly the IP address cited yields the exact same message I’m getting. (And thanks for the link about hosts files).
For what it’s worth, we almost always use Firefox to cut down on spyware and malware, and we’re pretty aware of phishing attempts, since we get them almost daily.
Sal, the reason that nothing happens when you click on the ebay.com link in the redirect is that wherever your computer is getting its DNS information from does not have up to date information. You type in “www.ebay.com”, which gets translated to the above IP address with the redirect, but when you click on the link, you get the same translation. That could be in your hosts file, but it’s more likely to be the DNS server that your ISP sets up for you, or in some DNS cache somewhere.
If you see this for the link:
<p>The page you are looking for has been moved. If this page does not redirect you in 10 Secs,
please <a id="redirecturl" href="http://www.ebay.com/">click here</a>.</p>
when you view source, then it’s almost certainly not malware or hijacking, but just some confused DNS. Try clearing your browser’s cache, or possibly even rebooting your system. If you’re using a router that caches DNS requests, you might want to reboot/clear that too.
Or I could be complete wrong. :smack: The bad DNS entry sounds like a pretty good explaination.
Well, when I got home, I followed the suggestions – I cleared the cache in all three browsers, turned off the router, rebooted, and voila – the same problem.
On the redirect page, here’s what I see when I do “view source”:
//<html>
//<head>
//<meta http-equiv=“Content-Type” content=“text/html; charset=iso8859-1”>
//<meta name=“display” content=“noshow”>
//<title>eBay: Redirect</title>
//<noscript>
//<meta http-equiv=“refresh” content=“0;url=h-t-t-p://www.ebay.com/”>
//</noscript>
//</head>
//<body>
//<script src=“h-t-t-p://include.ebaystatic.com/js/v//ebaybase.js”></script>
//<script src=“h-t-t-p://include.ebaystatic.com/js/v//pages/redirect.js”></script>
//<p>The //page you are looking for has been moved. If this page does not redirect you in //10 Secs,
//please <a id=“redirecturl” href=“h-t-t-p://www.ebay.com/”>click here</a>.</p>
//<script src=“h-t-t-p://include.ebaystatic.com/js/v//ebayfooter.js”></script>
//</body>
//</html>
(The only change I’ve made here is to put hyphens within “http” so the hyperlinks won’t show.) Does anyone see anything not-so-innocent in that code? Does it still look like a DNS problem, or a hijack? Most mystifying to me. (And thanks for all the suggestions received so far.)
Hold the presses – I’ve just solved the problem. Pursuing a suggestion made by iamthewalrus, I opened my hosts page up, and deleted the ebay entry. Actually, it was one of only two entries.
Still, even though that worked, I’m a bit puzzled about the whole thing – like how it happened, and why it’s never happened to me before. Could it still be a hijack?
I’m not sure how ebay could have gotten into your hosts file if you didn’t put it in there yourself (which isn’t to say that it couldn’t happen; just that I don’t know what to check for). Is it possible that you installed a 3rd party ebay bidding tool (or an ebay brand one) at one point? That might have put it in there.
Either way, definitely not a hijack. The ip you went to was owned by ebay, it just wasn’t what they have as their main site anymore. It looks like they were just changing some stuff around and you had an out of date hosts file.