Searchguide - perrenial P.I.T.A (linux) (SOLVED)

Discuss various technical topics not related to Mozilla.
Post Reply
User avatar
Grumpus
Posts: 13239
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Searchguide - perrenial P.I.T.A (linux) (SOLVED)

Post by Grumpus »

My guess is this is something from my ISP more than something from the Linux Mint install but . . .
198.105.240.0/198.105.255.255 is the range which needs to be blocked on ports 80,139,443 and 445.
I'm noting this because during the early stages of a new Linux Mint 18.2 Mate setup there was an endless stream of hits on the 139 and 445 ports
It's amazing how obnoxious these weasels can be and it would be good if someone closed them down as they attempt to act as man in the middle search when someone places anything in some form of search process which is not recognized or controlled by a normal process. In some case the whois which comes with the gnome-nettools package has even been affected and searchguide should in no way be affecting that program.
Just a heads up if you want to dump them,
http 80/tcp www # WorldWideWeb HTTP
netbios-ssn 139/tcp # NETBIOS session service
microsoft-ds 445/tcp # Microsoft Naked CIFS
https 443/tcp # http protocol over TLS/SSL
Last edited by Grumpus on July 20th, 2018, 5:41 am, edited 1 time in total.
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
User avatar
mightyglydd
Posts: 9813
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Re: Searchguide - perrenial P.I.T.A (linux)

Post by mightyglydd »

Grumpus wrote:It's amazing how obnoxious these weasels can be
Image
#KeepFightingMichael and Alex.
User avatar
Grumpus
Posts: 13239
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Re: Searchguide - perrenial P.I.T.A (linux)

Post by Grumpus »

This is getting really bad with the interruptions of connection from searchguide.com and searchguideinc.com
IPs appear to be 198.105.244.64 and 198.105.254.64out of Colorado but may be more.
Signals are coming through lax1.he.net; ash1.he.net; and nyc5.he.net
Secure sites which I have bookmarked, checked and double checked are being interrupted, delayed and redirected to bogus sites by searchguide. Indications of the redirects are missing controls or failures in visual changes once certain information is entered.
I've seen similar issue here in the 'zine with a bogus page missing some of the controls
It appears they are blowing past most protections and are faking their actual IPs.
This is occurring whether Firefox is open or not now and I believe it may be compromised beyond the maintainers/authors capabilites and appears to be expanding.


Mighty - Please remove the dopey cat gif?

PS: 176.58.90.154 apparently dislikes my post.
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
User avatar
Grumpus
Posts: 13239
Joined: October 19th, 2007, 4:23 am
Location: ... Da' Swamp

Re: Searchguide - perrenial P.I.T.A (linux) (SOLVED)

Post by Grumpus »

Keep in mind this is mostly conjecture and . . .
. . . not a stake through it's heart solution but hopefully not tinfoil pipedreams, you judge.
All of this information, as meager as it is, comes from some recent experiences. My ISP has been really slow lately, as low as 5KB/sec when theoretically it should be between 1440KB/sec and 440KB/sec. Sometimes in the past, early on Sundays I'd get 250KB/sec when everyone was asleep, now I'm lucky to get 20-30KB/sec in off hours, if such a time exists anymore.

As far as I can tell this is a network issue more than a user issue.
Apparently a number of networks use a form of Searchguide in one way or another, BUT. . .
. . . there appears to be room for a great deal of abuse.
From what I've been able to determine if a connection is slow in finding a bookmark or address input manually
typed in to the navigation bar, the network directs the user to the searchguide process.
This may seem to be helpful but only if searchguide functions honorably.
The problems arise when searchguide, compromised or working off old information,
sends the browser to a bogus or spoofed page.
Usually there is an indication, missing controls or the wrong or older format page.
It may seem your computer is calling out to the IPs of searchguide but in most cases it is your ISP which is redirected because of a slow or hard to find connection.
In some cases simply blocking the ips will keep things somewhat stable, and guessing here, it may be how Google maintains it's protections with the constant updating of IPs to block from outdated or bogus pages, but even Google can be replaced by searchguide if the connection is slow.
The following IPs are searchguide in various forms and . . .
198.105.244.11 198.105.244.13 198.105.244.19 198.105.244.21 198.105.244.24
198.105.244.64 198.105.244.70 198.105.244.74 198.105.244.111 198.105.244.114
198.105.244.120 198.105.244.130 198.105.244.228 198.105.254.11 198.105.254.19
198.105.254.23 198.105.254.24 198.105.254.54 198.105.254.63 198.105.254.64 198.105.254.65

. . .the domains listed are some of those where the problem is pretty bad.
searchguideinc.com; searchguide.level3.com; searchguide.com; hostvirtual.com; vrdns.co.uk; vrdns.info
vrdns.com; netactuate.com; lax2.he.net; lax1.he.net; hyp.net; zayo.net; zayo.com;
core1.nyc5.he.net; he.net; core1.ash1.he.net; core2.ash1.he.net; eth.zayo.com; vr.org; varnish.org

These connections and urls were found during traces when the IP for one of the various searchguides showed in a traffic monitor.
As stated, most of this is conjecture but if the domains are deploying searchguide it may be due to inattention and not purposeful.
There are also sites, advertising mostly, which are on some of the urls above and some on various cloud providers.
Doesn't matter what you say, it's wrong for a toaster to walk around the house and talk to you
Post Reply