Check my DNS problem theory.

I have an apparent case of DNS poisoning and I need help in thinking this though.

The problem...

A day ago, after using google in the morning, I tried to use google that afternoon but was redirected to a Chinese page. Google maps and Youtube does the same thing. The problem is solid, except that on occasion I get the message that the page won't load because the server issued a reset.

Plus, any google link on any other website also resolves to that illegal site. Every Mac in the house does the same thing.

I assumed that the problem was with my provider (a broadcast wireless ISP) and their DNS. To to bypass them, I setup a static address on the Mac and changed the DNS in my machine to 8.8.8.8 (And some others afterward.) I turned off the radio router to flush it, cleared everything out of Chrome and restarted it, issued a flush cache at the command line. I then had had a single Mac, connected directly to the router with nothing else in-between.

Same problem. Tried Safari and got the same result. Downloaded Opera and tried it. Same.

I assume that something at the ISP's server is intercepting me and rerouting. I don't think it could be my Mac. (Three of them and an iPad, all doing the same thing.)

So why haven't I called the ISP? I will tomorrow but both days I got home too late to call. (Small outfit - 8 to 5)

Anybody see any holes in my theory? One thing that is bothering me is that everybody on this ISP should have called in today and raised cain, but nothing on their website, nor their phone message indicates a problem. And they are pretty good about leaving a message on their phone when this tower or that is having problems.

Ironically, the google map on their web site displays the Chinese pollution.

????

More information.

Even using the raw IP of 74.125.227.101 still gets the Chinese page. This is telling me something, but I haven't figured out what, yet.

Follow the directions given at this LINK. You could possibly have been infected with the DNS Changer Trojan.

Thanks, but that wasn't it. Nothing was detected.

But, I didn't have hopes of it working. I am very careful about what gets installed and any time the box pops up asking for permission to install something, that is always a red flag.

But, the clincher that I didn't think of at the time, is that I also have an up to date Debian box, with a minimum load of software that I only use for programming. Cranking up Lynx - the old text only browser - I still get repointed to the Chinese site.

The idea that someone spent the time writing a crack for an ancient text browser that 99.99 percent of the world doesn't even know exists is pretty unbelievable.

One last item that is the clincher. I am sending this from an Internet cafe and google works fine. Time to beat up on my ISP when they come in for the day.

Possibly a good idea would be to recommend that they dump that Windows server farm for something that isn't the equivalent of a submarine with a screen door.

But I will wait till they fix my problem before ticking off their Sertified Sistems Ingineear.

Yeah, it sure appears as if your ISP has somehow been infected. It's hard to get them (any ISP) to admit they have a problem. Speak to someone higher up in their food chain until you get through to them. After reading what you've done and it not being the DNS Changer Trojan, I can only come to the conclusion that your ISP has been hacked.

Let us know how this turns out.

Given the extensive testing with different machines and OSes, this is something that is surely going on with your ISP. Stupid question (perhaps) - have you tried unplugging the router and connecting one machine directly into the modem to test it? I only ask since, if no one else called it, it might still be something on your end and that would appear to be the only device that hasn't been eliminated from your equation.

By the way, I removed the link to the redirect page - no point including it here for us.

Coda:

It isn't with my equipment. When I reported the problem this morning, I just happened to get an employee who knows me. As it turns out, they had been getting calls trickling in about a weird Chinese page that was showing up, but just assumed that it was some popular website that was hosed somewhere. When I called in with technical info, they began to look at it. A lot. All day. Finally, they called and asked if a tech could come to my house and connect his laptop. Turns out it was the owner of the company and apparently having problems believing what I was telling him, no matter how technical I sounded.

Sure enough, he plugged in a Win 7 Thinkpad and got mush instead of google. That got the whole tech department working on it and finally found a router somewhere that they couldn't get into - wrong password or id. Of course, that was an immediate red flag. Turns out that it was hacked. They took it off line and google access came back.

Like I have always preached - the size and complexity of your password needs to be larger than the square of the amount of money that you don't want to lose.

Thanks for posting back. I think you ought to prod the owner to give you a year's free high speed access for doing their work.