# Fixed: Do not use somedomain.com as your domain name!

## marcion

[Edit: I did not have my brain engaged, it all clicked in the end.]

I have a Gentoo install AMD64 that I have possibly f/m-ucked up in some way. Anyway I have managed to get an adware thing that replaces all 404s and 403s and so on. 

I have had the install for quite a while and used and abused it quite heavily as my main workstation. If I was running Windows I would run Norton and Lavasoft Adware and all thats hit. 

However running Gentoo I have never needed to know what to do with adware since I haven't had any until now.

Here is a screenshot which I uploaded to the Wikipedia (why not!)  

http://upload.wikimedia.org/wikipedia/en/f/fc/Adwareonlinux.png

I also had a long moan about it here with more details: http://en.wikipedia.org/wiki/Somedomain [edit: this has since been updated] 

(although all the hyperbole might not be accurate i.e. my first recorded case is not likely to be Linux's first reported case). 

My first idea was not particularly pratical since I need the PC for daily life:

```
su

cd /

rm -r * 

```

Suggestions about what to do would be appreciated. Any ideas?Last edited by marcion on Tue Jul 19, 2005 10:42 pm; edited 1 time in total

----------

## lbrtuk

Unless you were running as root, it's very unlikely 'it' has actually touched your system. From looks of it, it has installed some malicious firefox extension. Most extensions are cross platform - they're written in javascript. So it was probably targeted at windows but ended up getting you anyway.

So - don't panic - I doubt it'll be anything more serious than wiping out your ~/.mozilla/

----------

## marcion

.mozilla was a nice idea but I just removed .mozilla and it wiped out my bookmarks and extentions etc but I still have the adware. I tried epiphany and got the adware too. I tried logging in as root and using firefox and I still got the adware which is a bit scary. 

I have a copy of Apache installed for testing things (although it is not in my default runlevel and is turned off), could something have got on through there?  

Should I try flushing out the IPtables and setting it back up? (If so how?)

Any more ideas anyone?

----------

## MrUlterior

I'd think you'll find you've over-rated the significance of your find.

A 404 error is a Page Not Found error which is returned by an HTTP server responding to the DNS name you provide, as you're fond of Wikipedia, here's the relevant URL: http://en.wikipedia.org/wiki/404_error

What you have there is not a 404, but a site not found - in which case you should get a popup from firefox telling you as much. So I would surmise that you do NOT have any adware, but rather you have a nasty ISP whose DNS resolves any address that doesn't exist to the site shown in your screenshot.

You can prove this easily, visit: http://www.google.ch/blah/blah, do you get Google's not found page? 

Alternatively, if it is adware and you were NOT running as root, nuking ~/.mozilla would have disposed of it. If you were running as root, unemerging and re-emerging mozilla should nuke it.

----------

## marcion

 *Quote:*   

> You can prove this easily, visit: http://www.google.ch/blah/blah, do you get Google's not found page?
> 
> Alternatively, if it is adware and you were NOT running as root, nuking ~/.mozilla would have disposed of it. If you were running as root, unemerging and re-emerging mozilla should nuke it.

 

I never normally run as root, except for that test earlier. I get it on every browser, I just downloaded Konqueror and I get it on that too  :Confused: 

----------

## MrUlterior

You didn't answer the question, do you get not found on that Google page? What evidence do you have to suggest its spyware/adware? What extensions do you have installed? Does "nslookup www.blahblahsomecrappyhost.com" return a record for hosts that should not exist?

Without this information, I stick with my suggestion that your DNS server resolves unassigned addresses ...

----------

## rex123

I'm not really sure you've tested the right things.

What do you get from something like 

```
host www.adwaresucksuniteagainstit.com
```

What happens if you try to ping non-existent addresses?

Does this really occur for 404 errors rather than 403 errors (as per MrUlterior's suggestion)? Do you have an example?

It would be interesting to know what actual HTTP requests are being made. Ethereal (or tcpdump) is always good for that sort of thing.

It really looks like a DNS thing, not a browser thing.

[edit] You can ignore this if you like, because it's basically the same as MrUlterior was writing simultaneously, and he got there first[/edit]

----------

## marcion

Er well, if I go to any 404 and 403 on Windows or Fedora I can't replicate the same problem, so the bad webhost does not really apply I think.

Going to http://www.google.ch/blah/blah, gets me Google's not found page, but say http://status.gmail.com/ gets me the adware.

As for the idea of doing host www.adwaresucksuniteagainstit.com, that just gets me

 ~ $ host www.adwaresucksuniteagainstit.com

bash: host: command not found

----------

## marcion

To sum up the current situation:

On my Gentoo install, using Firefox Epiphany or Konqeror:

If I go to a non-existent page such as www.thispagedoesnotexistqwertyuiop.com then I get the adware

On my old Fedora install, using Firefox:

If I go to a non-existent page such as www.thispagedoesnotexistqwertyuiop.com then I do not get the adware.

Using Windows  :Evil or Very Mad:  , using Firefox or IE:

If I go to a non-existent page such as www.thispagedoesnotexistqwertyuiop.com then I do not get the adware.

----------

## marcion

 *rex123 wrote:*   

> 
> 
> What happens if you try to ping non-existent addresses?
> 
> 

 

Very interesting, you have found something there:

From Gentoo, after 10 packets I pressed Ctrl+C:

```
#ping www.adwaresucksuniteagainstit.com

PING www.adwaresucksuniteagainstit.com.somedomain.com (66.116.109.35) 56(84) bytes of data.

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=1 ttl=49 time=168 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=2 ttl=49 time=167 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=3 ttl=49 time=164 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=4 ttl=49 time=166 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=5 ttl=49 time=164 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=6 ttl=49 time=160 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=7 ttl=49 time=166 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=8 ttl=49 time=168 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=9 ttl=49 time=164 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=10 ttl=49 time=173 ms

--- www.adwaresucksuniteagainstit.com.somedomain.com ping statistics ---

10 packets transmitted, 10 received, 0% packet loss, time 9897ms

rtt min/avg/max/mdev = 160.217/166.430/173.695/3.395 ms
```

However:

```
# ping www.somedomain.com

PING www.somedomain.com (66.116.109.35) 56(84) bytes of data.

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=1 ttl=49 time=161 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=2 ttl=49 time=161 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=3 ttl=49 time=166 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=4 ttl=49 time=167 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=5 ttl=49 time=161 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=6 ttl=49 time=165 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=7 ttl=49 time=162 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=8 ttl=49 time=165 ms

64 bytes from c-ndl.las.marchex.com (66.116.109.35): icmp_seq=9 ttl=49 time=164 ms

--- www.somedomain.com ping statistics ---

10 packets transmitted, 9 received, 10% packet loss, time 9011ms

rtt min/avg/max/mdev = 161.603/164.018/167.187/2.133 ms

```

Does this have anything to do with the price of fish?Last edited by marcion on Tue Jul 19, 2005 10:19 pm; edited 2 times in total

----------

## think4urs11

do all your installations use the same DNS servers?

----------

## marcion

Hmm, we may have sussed it. I changed my domain name in the networking settings from somedomain.com to gentoo.org and the adware might have gone already:

```
ping www.adwaresucksuniteagainstit.com

ping: unknown host www.adwaresucksuniteagainstit.com
```

As your sig said this may be a problem with  the interface between the chair and the keyboard.

----------

## marcion

Well that fixed it, I'm such a noob.  :Sad: 

Thanks for all your time, I have learned alot.  :Cool: 

Unfortunate coincidence of me just bunging somedomain.com into the networking settings when I installed and it being  subsequently used for adware purposes. D'oh.

I'm sure somedomain.com used to be in the Windows 98 handbook or something for any old domain to use for domain name.

----------

## Ekimus

you definitely haven't resolved it using existing domains for your own purpose is BAD.

usually the .local domain (afaik this is even recommended in a RFC) should be used for this.

NEVER, really NEVER EVER use domains you don't own that could exist.

----------

## Antimatter

to correct me if i'm wrong, most domain would have two parts to it such as bahbah.com bye.net etc..... so can i go ahead and use such domain such as    localhost.whatever and would that be fine?

----------

## rex123

 *marcion wrote:*   

> [...]
> 
> As for the idea of doing host www.adwaresucksuniteagainstit.com, that just gets me
> 
>  ~ $ host www.adwaresucksuniteagainstit.com
> ...

 

I was worried that might happen, which is why I suggested pinging the host. The "host" program is part of the bind-tools package. I would recommend that everyone installs bind-tools. I would be lost without it. Same with telnet (or netcat if you prefer). But ping is part of iputils (I think), which seems to be a dependency of eveything, so it's unlikely anyone is without it.

----------

## jamapii

 *Ekimus wrote:*   

> usually the .local domain (afaik this is even recommended in a RFC) should be used for this.

 

in 2004, glibc broke this. I've read about instances where DNS didn't work correctly after a glibc update. They all were using a .local domain for their LAN. There's a workaround for this.

It seems using .local is *wrong* (as of glibc), and using anything else is *wrong* (as of RFC)?

At least using a password (something like .gkhzxeuimgei7w) probably wouldn't break yet.

----------

## DaveArb

 *jamapii wrote:*   

> and using anything else is *wrong* (as of RFC)?

 

There are several namespaces specificed in RFC 2606 (Reserved Top Level DNS Names, http://www.faqs.org/rfcs/rfc2606.html ) for "invalid" domain names.

.test, .example, .invalid, and .localhost (note, not .local) are all TLDs reserved for testing, documentation, etc.

The second level domains example.com, example.net, and example.org are also reserved domain names, but they _will_ resolve in DNS, which might lead to a similar problem as listed in this thread.

Dave

----------

## madmango

Wait... are you serious? I've been using kellerhome.local as my domain since 2003, when I read in the Windows Server 2003 Beta documentation that .local was the correct domain to use for local-only domains. I've really had no problems, and I'm using the latest glibcs.

Maybe that's why all of my boxen boot with <hostname>.unknown_domain. Hm.

----------

## daeghrefn

 *Quote:*   

> Wait... are you serious? I've been using kellerhome.local as my domain since 2003, when I read in the Windows Server 2003 Beta documentation that .local was the correct domain to use for local-only domains. I've really had no problems, and I'm using the latest glibcs. 
> 
> Maybe that's why all of my boxen boot with <hostname>.unknown_domain. Hm.

 

I just rebuilt a machine using 2005.0... and apparently hostname/domain name configs are now in /etc/conf.d/hostname and /etc/conf.d/domainname instead of /etc/hostname and /etc/dnsdomainname.

When I set it up to use /etc/conf.d/hostname and /etc/conf.d/domainname, I get the same thing <hostname>.unknown_domain.  I set it up using gcc 3.4.3 and a Stage 1 on Stage 3 install.

Origionally when I used /etc/hostname and /etc/dnsdomainname, I would get <hostname>.<domainname>.<tld name>

All I have to say is WTF?

----------

