LQ Suggestions & FeedbackDo you have a suggestion for this site or an idea that will make the site better? This forum is for you.
PLEASE READ THIS FORUM - Information and status updates will also be posted here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Mods, if this needs to be in "Security", please move it.
Something very strange is going on.
A couple of times this evening when I have been reading LQ, and I click on a link I get a strange page relating to finance, credit cards and other dross.
It says it comes from www.linuxquestions.org according to my firefox browser address bar.
ping, whilst this is happening, and again after things have returned to normal shows this:
Code:
ping www.linuxquestions.org
PING www.linuxquestions.org (64.179.4.146) 56(84) bytes of data.
64 bytes from web2.linuxquestions.org (64.179.4.146): icmp_seq=1 ttl=43 time=89.7 ms
My specs: Kubuntu 6.0.6.1, kernel 2.6.15-28-386 Firefox 1.5.0.12. I am firewalled by my netgear DG834G.
My ISP is BT (UK)
Any ideas? Or is some new LQ "feature"? If so, may I say that I don't like it?
acid_kewpie,
Thanks from me.
I have followed the links you gave me above but I do not understand them.
I recognise this bit though:
Code:
The registrant of this domain maintains no relationship with third party
advertisers that may appear on this website. Reference to or the appearance of
any particular service or trade mark is not controlled by registrant and
does not constitute or imply its association, endorsement or recommendation.
It is lawyer-meaningless s**t.
When I look at the code from, supposedly, LQ (View Source, see code above) and follow this (picked at random) absurd link from this code:
I end up at LQ again, although it's not the LQ I am used to (It's currently pointing to a lot of posts from Jeremy, but this seems to be changing from minute to minute)
Wish I knew WTF was going on here.
My modem's lights are quiet, except when I am loading a page, so I don't think there is serious mischief, just someone trying stuff out maybe. If so, it looks bad, and I'd like it to be stopped.
Maybe it's my ISP's DNS ?
Nobody else seems to be complaining. So where do you suggest I start?
Perhaps this needs to be in "Security"?
I am not usually the one who calls for HELP ME! but I feel I need it now.
I wonder if LQ isn't having some more serious problems. Earlier today, the link from the main menu to Jeremy's Blog instead took me to a site featuring a variety of women suffering from Fabric Deficit Disorder. I don't think is was on my end, particularly since Jeremy was able to fix it after I dropped him an email.
Hangdog42,
Thanks. I now feel I am not alone, I just tried to post and it happened again (redirection to spam). This time I have saved the "View Source" file in case Jeremy / whoever needs it (it comes and goes & it's too big to post in its entirety). Wretched cl01ws045.lax.tciservers.com is there again, in an apparently commented field.
I am cross because I hate it when these bastards mess up my internet communication (I'm old enough to remember it when it was (D)ARPAnet, before spam, when only good people were there. Sigh) But "Fabric Deficit Disorder" made me laugh. Thanks.
This DNS failure / redirection mischief could have serious repercussions. Suppose I go to www.mybank.biz (as I have clicked links from within LQ), and instead of receiving the obviously rubbish "Credit Cards" site I am redirected to from an LQ apparent link I end up at a site that looks genuine for wwww.mybank.biz?
The browser's address bar looks OK ...
It's https, and it looks OK but it is not the site I wanted .... DNS is suddenly looking vulnerable, or am I mistaken?
I tried to post, and it happened once more.
One more try.
Grrrrr.
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,602
Rep:
First, the blog issue is 100% unrelated to whatever this is. My blog is not hosted on the LQ infrastructure. I'm unable to replicate the issue you're reporting here and in fact cl01ws024.lax.tciservers.com doesn't even resolve for me. The more information you can get me on this, the better. The long LQ link you are referencing simply brings me to the LQ homepage. Is this happening to anyone else?
Jeremy,
Thanks for getting back so quickly.
I just tried the links again:
I tried to reload the page I had saved to disc, (File, save as, from firefox, then Open from konqueror, or firefox), The file saved had a .php extension. Firefox did not know what to do with it, konqueror opened it as a text .html file.
I have it in full if you'd like it, but it is too big to post here.
So I renamed it as .html and firefox opened it.
The text is there, but not (now) the images, and the link from my previous post @ #4 is now pointing back at LQ, a few minutes ago I was back at the spam page, I checked at the time.
But if you look at the L-O-N-G links in my post #4, it's not a usual LQ link, but it resolved to LQ (but, earlier, spam). LQ doesn't spell links like that. But it (sometimes) resolves to LQ, sometimes spam.
If you'd like me to email you the problem page .html / .php I'll happily do that. You have my email address.
If it sounds like I am incoherent, it is because I am furious. There's a blip on the radar that says "something not right", but the target is moving in real time.
Thanks for your help. Any further information I can supply, I will, if I can.
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,602
Rep:
Is there ever a time while this was happening that LQ did not resolve to the proper IP for you? Feel free to email me the files and I'll take a closer look. Thanks again.
Jeremy,
I emailed you the html of the page that I was misdirected to.
I have your LQ IP as 64.179.4.146 With redirection and without.
There is (intermittent) mishchief. Hangdog42 is the only one who has been able to corroborate this (and he lives in another Continent), maybe it is not my, or my ISP's problem.
Hope you can help sort this out.
Best wishes.
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,602
Rep:
As mentioned, the issue Hangdog42 saw was 100% unrelated to anything you are seeing here. It was pertaining to a different site running on different servers. Thanks for the email, I'll take a look ASAP.
Thanks for following this up. You probably have better things to do.
If you go here: http://cl01ws024.lax.tciservers.com/ (which is referenced, apparently as a comment, in the html source code I emailed you) you'll see a similar page to the one I saw instead of LQ. I saw it more than once, but mischief came and went, and was difficult to capture.
The link http://cl01ws024.lax.tciservers.com/ has the same l-o-n-g random URLs that are in the page I sent you. But the page I sent you has LQ as the hostname. And it "worked" in that it displayed the spam page, although the URLs start with href="http://www.linuxquestions.org/index.php?Query=2USJ9jTS6GM0c2PsLPBlqzOnd......forever....
V-e-r-y long URLs -> Buffer overflow?
To be cheerful, it has not happened since. LQ is back to normal. But I am not pleased, and not blaming you! Just a "weirdness happened". Why & How?
Distribution: Slackware / Debian / *Ubuntu / Opensuse / Solaris uname: Brian Cooney
Posts: 503
Rep:
Hi guys.
Just my .02C.... linuxquestions.org was first timing out, then redirecting me to another page too. Even when It timed out in my browser, I could ping it. I also ended up on some strange pages following some of the links form the site around the same time.
Unfortunatly, I can replicate the problem with .org or .net right now, but linuxquestions.com is taking me to the wrong site.
It appears to me that what is happening here is a form of DNS spoofing. Here is an article that describes what I think is going on.
Jeremy, I dont know if you can actually fix this or not, but I have included a screenshot of what I am getting ping replies, traceroute, and the page im findings code for you to have a crack at it.
Code:
bash-3.1$ cat problem
ping -c 4 linuxquestions.org >> problem
PING linuxquestions.org (64.179.4.146) 56(84) bytes of data.
64 bytes from web2.linuxquestions.org (64.179.4.146): icmp_seq=1 ttl=47 time=26.0 ms
64 bytes from web2.linuxquestions.org (64.179.4.146): icmp_seq=2 ttl=47 time=25.1 ms
64 bytes from web2.linuxquestions.org (64.179.4.146): icmp_seq=3 ttl=47 time=26.7 ms
64 bytes from web2.linuxquestions.org (64.179.4.146): icmp_seq=4 ttl=47 time=25.7 ms
ping -c 4 linuxquestions.com >> problem
--- linuxquestions.org ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 25.103/25.910/26.778/0.599 ms
PING linuxquestions.com (66.116.125.228) 56(84) bytes of data.
64 bytes from mdnh-43.las.marchex.com (66.116.125.228): icmp_seq=1 ttl=230 time=89.1 ms
64 bytes from mdnh-43.las.marchex.com (66.116.125.228): icmp_seq=2 ttl=230 time=85.7 ms
64 bytes from mdnh-43.las.marchex.com (66.116.125.228): icmp_seq=3 ttl=230 time=88.4 ms
64 bytes from mdnh-43.las.marchex.com (66.116.125.228): icmp_seq=4 ttl=230 time=90.4 ms
traceroute linuxquestions.com >> problem
--- linuxquestions.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 85.765/88.428/90.402/1.708 ms
1 DD-WRT (192.168.1.1) 0.778 ms 0.677 ms 0.661 ms
2 c-3-0-ubr03.hershey.pa.panjde.comcast.net (73.150.88.1) 7.133 ms 7.063 ms 8.965 ms
3 ge-6-3-ur01.hershey.pa.panjde.comcast.net (68.86.216.37) 10.051 ms 8.472 ms 11.482 ms
4 te-9-1-ur02.lowerpaxton.pa.panjde.comcast.net (68.86.208.201) 9.942 ms 9.747 ms 7.844 ms
5 te-9-1-ur01.lowerpaxton.pa.panjde.comcast.net (68.86.208.197) 9.556 ms 8.365 ms 11.487 ms
6 te-8-1-ar01.lowerpaxton.pa.panjde.comcast.net (68.86.208.193) 24.562 ms 11.395 ms 8.526 ms
7 po-10-ar01.ivyland.pa.panjde.comcast.net (68.86.208.46) 13.555 ms 10.894 ms 11.951 ms
8 po-10-ar01.verona.nj.panjde.comcast.net (68.86.208.13) 14.558 ms 13.082 ms 13.445 ms
9 po-10-ar01.plainfield.nj.panjde.comcast.net (68.86.208.5) 15.583 ms 18.014 ms 15.483 ms
10 68.86.90.37 (68.86.90.37) 17.079 ms 17.005 ms 16.974 ms
11 te-9-4.car1.NewYork1.Level3.net (4.71.172.121) 15.984 ms 16.911 ms 15.493 ms
12 ae-14-69.car4.NewYork1.Level3.net (4.68.16.6) 18.110 ms 14.704 ms 16.008 ms
13 mci-level3-te-newyork1.Level3.net (4.68.110.234) 18.487 ms 18.077 ms 18.970 ms
14 0.ge-5-0-0.XL4.NYC4.ALTER.NET (152.63.3.117) 18.006 ms 20.112 ms 18.932 ms
15 0.so-5-1-0.XL2.VEG2.ALTER.NET (152.63.115.142) 99.224 ms 95.005 ms 95.630 ms
16 POS7-0.GW1.VEG2.ALTER.NET (152.63.114.193) 99.073 ms 95.424 ms 95.614 ms
17 powerpulse-gw.customer.alter.net (157.130.238.194) 88.684 ms 91.176 ms 91.109 ms
18 gig5-1.esw03.las.switchcommgroup.com (66.209.64.186) 92.612 ms 91.182 ms 90.018 ms
19 gig5-1.esw09.las.switchcommgroup.com (66.209.64.194) 88.165 ms 93.131 ms 88.562 ms
20 cust-66.209.87.100.switchcommgroup.com (66.209.87.100) 91.592 ms 90.569 ms 101.082 ms
21 mdnh-43.las.marchex.com (66.116.125.228) 90.103 ms 91.216 ms 90.585 ms
At the following address, you will find three things:
1 the screenshot of the site
2 the souce code for the site (in .gz format so I am not providing a free mirror for them)
3 the above ping-traceroute results in a .txt file for easy download http://www.asyserver.com/~kahless
In my opinion, this doesnt look like an accident. I really hope you can get it all straitened out without too much trouble.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
the screenshot of the site
