spyware? please help

[dontcare]

I have no idea what's going on and I seem to be the only problrm with this so here it is....

It seems like a cannot get the 404 error when I put in an invaled internet address in firefox and mozilla. For example when I type the address linux.he i get this add for freeservers.com. It says "Site available.
The subdomain linux.he is available. Use the link on the right to sign up for your FREE Web site." WTH?

I can't even get to google.com, a page for "ray's corvett page" shows up.

I get ads for freeservers.com and 20m. Sometimes before these pages show up after the address will look like this "fedoraforum.org/cgi-bin/" What is this cgi-bin business?

It has been like this since the beggening of the installation of FC3.

I'm sorry if this is a dumb question and all but how can I fix this? If I can fix it i'll jsut go back to windows were I can actuallty surf the internet.

[james_in_denver]

Where did you get your mozilla/firefox from?

I have NEVER heard of that in linux....(10 year user)

Are you using a windows box somewhere as a router/firewall??? (if so, then it's likely that the windows box is the one actually re-writing the URL's you are trying to use)

Unless you are trying to pull an "April fools day" type of prank?

[h4d]

This is the wierdest thing I've heard of. On most windows machines on my network, I actually installed Firefox because it solved this issue which happens with crappy IE! Keep us posted on what's going on here!

[Uhlix]

i have to agree with james in denver. Sounds very wierd to say the least

[Jman]

I'm guessing it has something to do with the browser or DNS.

Have you installed any browser extensions? I don't know of any malicious ones for Firefox and Mozilla but they may exist. Perhaps a reinstall of the browser is in order. Or you may want to test other browsers like the text based lynx.

Attach the contents of /etc/hosts and /etc/resolv.conf. These contain DNS servers and hostname information. They may have been modified to redirect you.

I doubt there is anything wrong with your ISP's DNS servers or any proxying if you can connect fine with Windows.

If you suspect your machine has compromised try chkrootkit to search for signs of tampering.

[imdeemvp]

About 2 weeks ago some reported similiar issue with firefox. I was shocked to see it too. It makes me wonder if there could now be spyware for linux and we are not aware yet.

[dontcare]

Glad to see that you guys are so eager to help...

Anyways, as I said this happens with Firefox and Mozilla (Epiphany). I have installed extensions but I had this problem when I first installed FC3. Could you please explain this DNS server thing a bit more? I don't know if this will help but I am dual booting with windows and internet there works fine.

This is no prank and I really want to fix it.

[dontcare]

I just tried Elinks, text base browser, and I still get this "Rays Corvette Page" when I try to go to google.

Did a download a messed up version of FC3? I downloaded it from one of the mirrors from the site.

Please save me.

[h4d]

How about your /etc/hosts file? Anything wierd there redirecting google.com to the corvette page?

[dontcare]

There's nothing realy in that file except "order hosts,bind". Is this what should be there?

[dontcare]

Something I just noticed...
In "ray's corvette page" when I right click on one of the pictures and click view image, it comes from here "http://www.google.com/fs_img/builder/builder51/sportscar2.jpg"

....yeah I have no idea.../

update: I was looking through xbox-scene anyways that BS thing came up out of the blue (it's kind of random).

One of the picutres came from here "http://forums.xbox-scene.com/cgi-bin/image/logo_small.gif"

Can you guys see these images? If no then they must be comming from my computer or something....

[bob]

Dontcare, I'd seriously think about checking your computer with a free anti-virus program. If this was Windows, I'd be telling you to download 'hijack this' (not available for Linux, I see). Here's a link to some: http://linux.tucows.com/antivirus_default.html

[h4d]

Quote:

Originally Posted by dontcare

There's nothing realy in that file except "order hosts,bind". Is this what should be there?

I'm not getting it...you should have something like this:

Code:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain       localhost

Unless you have added more aliases to your localhost...
What exactly do you see when you cat /etc/hosts?

[dontcare]

I'm sorry I was looking at hosts.conf. Yes my hosts file look like that. That's not the problem.

Any idea about the image thing?

[h4d]

Quote:

Originally Posted by dontcare

Any idea about the image thing?

I get a 404 on both those images. wierd...I think I'm looking at the first infected linux box since I started using *nix! Did you run an antivirus program? I use clamav on the mail servers and it works great. Give it a try and tell us what happens...