Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Something rotten in Denmark...
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback
View previous topic :: View next topic  
Author Message
Curious
Bodhisattva
Bodhisattva


Joined: 13 May 2002
Posts: 395
Location: Sydney, Australia

PostPosted: Mon Oct 28, 2002 4:21 am    Post subject: Something rotten in Denmark... Reply with quote

Something really weird is going on at the moment. If I try and browse to forums.gentoo.org, I get a Topclicks.net page with a title of "Gentoo.Org". If I access the forum by I.P., it works fine.

Talking with sev, this doesn't seem to happen to him. Help me! I am confused!

-- Curious
_________________
Are you down with the Hawk?
Back to top
View user's profile Send private message
Curious
Bodhisattva
Bodhisattva


Joined: 13 May 2002
Posts: 395
Location: Sydney, Australia

PostPosted: Mon Oct 28, 2002 4:23 am    Post subject: Reply with quote

Possibly even more amazing, all the links on the page are relative. So there are links to https://forums.gentoo.org/data/Online Casino/index.html, https://forums.gentoo.org/data/Wedding flower/index.html, etc...

-- Curious
_________________
Are you down with the Hawk?
Back to top
View user's profile Send private message
Mnemia
Guru
Guru


Joined: 17 May 2002
Posts: 476

PostPosted: Mon Oct 28, 2002 4:47 am    Post subject: Reply with quote

That almost sounds like some sort of spyware that is intercepting your browser's requests. This isn't on a Windows box is it?
Back to top
View user's profile Send private message
Curious
Bodhisattva
Bodhisattva


Joined: 13 May 2002
Posts: 395
Location: Sydney, Australia

PostPosted: Mon Oct 28, 2002 4:55 am    Post subject: Reply with quote

Yeah, that was my first thought. It's a horrible Win2K box that I use for testing at work. I'm currently tearing it apart, looking for Evil (TM).

But then I thought, Pretty poorly coded - seeing as it produces a set of links that go nowhere. And for that matter, that only affects forums.gentoo.org, and not any other webpage...

On a hunch I just did something - trying to resolve forums.gentoo.org on this box gives "64.246.28.230", while the actual IP of the forums is "66.250.107.251".

It looks like either my company, or Gentoo.org is looking down the barrel of a dns misconfiguration / hijack.

-- Curious
_________________
Are you down with the Hawk?
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Mon Oct 28, 2002 5:50 pm    Post subject: Reply with quote

Curious wrote:
On a hunch I just did something - trying to resolve forums.gentoo.org on this box gives "64.246.28.230", while the actual IP of the forums is "66.250.107.251".

It looks like either my company, or Gentoo.org is looking down the barrel of a dns misconfiguration / hijack.

Can you try accessing the forums from another box on your corporate LAN? My guess is you've simply got some nasty spyware installed. I double-checked the name servers for *.gentoo.org and all appears to be well there, so I'd say this is a problem on your end somewhere.

If you continue to have problems, send me a PM and I'll help you track the issue down. (just in case this problem exists at a higher level.)

Also, if anyone else notices similar behavior, please send me a PM immediately.

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
Mnemia
Guru
Guru


Joined: 17 May 2002
Posts: 476

PostPosted: Mon Oct 28, 2002 7:46 pm    Post subject: Reply with quote

Have you tried running Adaware on that machine? I know for a fact that there are quite a few spyware programs that can take over your browser completely like that, especially if it's IE. I imagine it's possible for the stuff to work at a lower level too though and actually sit on top of the TCP/IP stack stealing traffic from other sites. What a load of garbage...I can't believe that kind of thing isn't illegal.
Back to top
View user's profile Send private message
Curious
Bodhisattva
Bodhisattva


Joined: 13 May 2002
Posts: 395
Location: Sydney, Australia

PostPosted: Mon Oct 28, 2002 10:29 pm    Post subject: Reply with quote

Well, this morning, after running Adaware on it, things seem to have improved. The weird thing is, Adaware only found one suspicious item - a key for an "Alexa" extension in IE.

How IE would affect name resolution, I have no idea.

-- Curious
_________________
Are you down with the Hawk?
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Mon Oct 28, 2002 10:40 pm    Post subject: Reply with quote

Curious wrote:
How IE would affect name resolution, I have no idea.

The malware (Alexa, in this case) sits between IE and the part of the OS that handles name resolution. IE hands off a request to resolve "forums.gentoo.org" to an IP address -- Alexa intercepts that request and substitutes a bogus IP for the real one, hands it back to IE and IE happily sends you to the wrong site.

And no, this isn't IE's fault -- this could happen to any browser that gets the right kind of malware installed.

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
Curious
Bodhisattva
Bodhisattva


Joined: 13 May 2002
Posts: 395
Location: Sydney, Australia

PostPosted: Mon Oct 28, 2002 10:57 pm    Post subject: Reply with quote

klieber wrote:
sits between IE and the part of the OS that handles name resolution.


Fair enough. The part that puzzled me was that it was deeply enough rooted to change the resolution on the command line using ping and nslookup. I guess they do have runtime loadable kernel modules after all. :-P

-- Curious
_________________
Are you down with the Hawk?
Back to top
View user's profile Send private message
Curious
Bodhisattva
Bodhisattva


Joined: 13 May 2002
Posts: 395
Location: Sydney, Australia

PostPosted: Mon Oct 28, 2002 11:33 pm    Post subject: Reply with quote

klieber wrote:
And no, this isn't IE's fault -- this could happen to any browser that gets the right kind of malware installed.


Another weird thing is that the key was in IE registry...

But I only use Mozilla to browse on this machine.

-- Curious
_________________
Are you down with the Hawk?
Back to top
View user's profile Send private message
Mnemia
Guru
Guru


Joined: 17 May 2002
Posts: 476

PostPosted: Mon Oct 28, 2002 11:51 pm    Post subject: Reply with quote

Curious wrote:
klieber wrote:
And no, this isn't IE's fault -- this could happen to any browser that gets the right kind of malware installed.


Another weird thing is that the key was in IE registry...

But I only use Mozilla to browse on this machine.

-- Curious


I think that many Windows-based programs use IE to provide various functions (rendering, communication, etc.) for them. That includes spyware, so if Alexa was installed with some other software on the computer it could be using IE for some reason. It's also possible that this isn't really the source of the problem and that there is some other spyware program that Adaware doesn't have in its database.

The reason I brought up IE is just that it seems more of these malicious programs are targeted at doing things to it rather than the entire Windows installation including all browsers. I've barely seen any of these programs doing anything to Mozilla on Win2k but I have non-computer savvy friends whose IE has been so totally co-opted that it is a nightmare to use.
Back to top
View user's profile Send private message
Curious
Bodhisattva
Bodhisattva


Joined: 13 May 2002
Posts: 395
Location: Sydney, Australia

PostPosted: Tue Dec 10, 2002 7:12 am    Post subject: Reply with quote

The wheel of Ka spins onwards, and further weirdness comes to light.

This happened to me again yesterday, and not just on forums.gentoo.org, but a variety of sites. Up came Ad-Aware, it showed nothing. I run a web-proxy on my machine to bypass the IE only proxy here, so I was wondering if that was the cause. Didn't appear to be so.

Grabbed a laptop out of my case ( this one running BeOS ) and tried to access the forums - it happened again. In NetPositive, on BeOS. DNS is still resolving correctly, so I go and talk to another engineer - it turns out that there have been unconfirmed reports of the same thing from people all over the company, who all share this common HTTP proxy, but everyone in tech had dismissed it as user error.

Now I need to find a way to explain this to the people at the Melbourne NOC that there might be something fishy about our Proxy. This will be entertaining.

-- Curious
_________________
Are you down with the Hawk?
Back to top
View user's profile Send private message
pilla
Administrator
Administrator


Joined: 07 Aug 2002
Posts: 7216
Location: Pelotas, BR

PostPosted: Tue Dec 10, 2002 7:39 pm    Post subject: Reply with quote

Are you using a Win server as proxy?
Back to top
View user's profile Send private message
absinthe
Retired Dev
Retired Dev


Joined: 06 Oct 2002
Posts: 111
Location: San Francisco, CA, USA

PostPosted: Wed Dec 18, 2002 5:11 pm    Post subject: Reply with quote

I don't see why it's necessary to pick on Denmark here. The Danish are our friends. :D

Speaking of danish, I could murder a pastry right now...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Forums Feedback All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum