Something rotten in Denmark...

[Curious]

Something really weird is going on at the moment. If I try and browse to forums.gentoo.org, I get a Topclicks.net page with a title of "Gentoo.Org". If I access the forum by I.P., it works fine.

Talking with sev, this doesn't seem to happen to him. Help me! I am confused!

-- Curious
_________________
Are you down with the Hawk?

[Curious]

Possibly even more amazing, all the links on the page are relative. So there are links to https://forums.gentoo.org/data/Online Casino/index.html, https://forums.gentoo.org/data/Wedding flower/index.html, etc...

-- Curious
_________________
Are you down with the Hawk?

[Mnemia]

That almost sounds like some sort of spyware that is intercepting your browser's requests. This isn't on a Windows box is it?

[Curious]

Yeah, that was my first thought. It's a horrible Win2K box that I use for testing at work. I'm currently tearing it apart, looking for Evil (TM).

But then I thought, Pretty poorly coded - seeing as it produces a set of links that go nowhere. And for that matter, that only affects forums.gentoo.org, and not any other webpage...

On a hunch I just did something - trying to resolve forums.gentoo.org on this box gives "64.246.28.230", while the actual IP of the forums is "66.250.107.251".

It looks like either my company, or Gentoo.org is looking down the barrel of a dns misconfiguration / hijack.

-- Curious
_________________
Are you down with the Hawk?

[klieber]

[Mnemia]

Have you tried running Adaware on that machine? I know for a fact that there are quite a few spyware programs that can take over your browser completely like that, especially if it's IE. I imagine it's possible for the stuff to work at a lower level too though and actually sit on top of the TCP/IP stack stealing traffic from other sites. What a load of garbage...I can't believe that kind of thing isn't illegal.

[Curious]

Well, this morning, after running Adaware on it, things seem to have improved. The weird thing is, Adaware only found one suspicious item - a key for an "Alexa" extension in IE.

How IE would affect name resolution, I have no idea.

-- Curious
_________________
Are you down with the Hawk?

[klieber]

[Curious]

[Curious]

[Mnemia]

[Curious]

The wheel of Ka spins onwards, and further weirdness comes to light.

This happened to me again yesterday, and not just on forums.gentoo.org, but a variety of sites. Up came Ad-Aware, it showed nothing. I run a web-proxy on my machine to bypass the IE only proxy here, so I was wondering if that was the cause. Didn't appear to be so.

Grabbed a laptop out of my case ( this one running BeOS ) and tried to access the forums - it happened again. In NetPositive, on BeOS. DNS is still resolving correctly, so I go and talk to another engineer - it turns out that there have been unconfirmed reports of the same thing from people all over the company, who all share this common HTTP proxy, but everyone in tech had dismissed it as user error.

Now I need to find a way to explain this to the people at the Melbourne NOC that there might be something fishy about our Proxy. This will be entertaining.

-- Curious
_________________
Are you down with the Hawk?

[pilla]

Are you using a Win server as proxy?

[absinthe]

I don't see why it's necessary to pick on Denmark here. The Danish are our friends.

Speaking of danish, I could murder a pastry right now...