Partly because it is HTTPS and partly because hack only appears in a url on the page.
This might answer if it is the result of the site, or the site content. Like for some reason LionLink is filtering based on the content on the page.
This is what is actually happening. Virgin Media peers with Cogent. Virgin prefers routes from peers over transit. Cogent is turrible at provisioning and filtering, and is a large international transit provider.
Let's look at the route from Cogent's perspective:
BGP routing table entry for 199.58.210.0/24, version 2031309347
Paths: (1 available, best #1, table Default-IP-Routing-Table)
54098 11557 4436 40015 54876
38.122.66.186 (metric 10105011) from 154.54.66.76 (154.54.66.76)
Origin incomplete, metric 0, localpref 130, valid, internal, best
Community: 174:3092 174:10031 174:20999 174:21001 174:22013
Also, traffic passing through Switzerland is a red herring -- the poster is using a geoip database to look up where a Cogent router is. GeoIP databases are typically populated by user activity, e.g., mobile devices phoning home to get wifi-based location, credit card txns, etc. None of this traffic comes from a ptp interface address on a core router. GeoIP databases tend to have a resolution of about a /24, whereas infrastructure netblocks tend to be chopped up into /30s or /31s for ptp links and /32s for loopbacks, so two adjacent /32s could physically be located in wildly different parts of the world. More than likely, that IP address was previously assigned to a customer. The more accurate source of information would be the router's hostname, which clearly indicates that it is in London. The handoff between Virgin and Cogent almost certainly happens at Telehouse in the Docklands.
If someone were, in fact, trying to intercept your traffic, they could almost certainly do so without you noticing (at least at layer 3.)
Then again, doing it like here would give them plausible deniability ("what? we? tracking? no, someone misconfigured a router."). Or maybe, given how those sites visibly disappear, it is an example of Zersetzung[0]?.
Welcome to post-Snowden world. We just cut ourselves with Ockham's razor and now are bleeding paranoid.
Could this be a botched poor-mans wiretap?: i.e. traffic sent to black-listed domain get's transparently routed to an adversarial middle host, who is intended to eventually forwarded it on to the original destination, but in this case someone misconfigured the wiretap, causing traffic to get lost. (/tinfoil hat)
I'd like to see the tracert for other hosts near the same destination.
However not a single IP in the range 199.58.210.0/24 responds to ICMP or TCP probes. My only guess is this is more likely a faulty or misconfig router.
# Dirty TCP check
nmap -v -Pn -p 80 199.58.210.0/24
# Dirty ICMP check (1 means failure, 0 means success)
for i in {1..254}; do echo -n "199.58.210.$i "; ping -c2 "199.58.210.$i" >/dev/null 2>/dev/null; echo " $?"; donehttp://community.virginmedia.com/t5/Up-to-120Mb-Setup-Equipm...
He should run that 45 min internet scan through his home network and diff with his work network, get a list of all the sites that have this behavior. Alternatively he could write a script to ping his bookmarks or browser history, that would probably take less time.