Hi guys, im encountering some very strange behaviour (intermittently) when visiting my domain. We have a dedicated unix server hosting a number of sites with the problem currently reported on one site.

I go to mydomain.com, and am directed to http://www.mydomain.com/?fnf=1

Classified ads are displayed on this page. Viewing the source of the page displays a base href of http://www.mydomain.com/common/roar/landing/rpos/ - the page is adware classified advertising.

The directory does not exist on the server (well not accessible via the virtual directory - so a virtual alais is being set to be displayed at times instead of the actual site. The problem occurs 2/3 times a day and last around 15 minutes. I am unable to connect via FTP when the problem occurs or view any page of my actual site when visiting either using the domain name or the ip address. it is not a local problem due to the issue being reported from people connecting from different geographic locations.

My Hosts Help team are also a little baffled as am I. Is spyware on a unix server a possibility and if so what do you guys recommend i do? If not has anyone enocuntered similar problems or ever seen anything related to /common/roar/landing/rpos/

thanks i really look forward to some advise as im pulling my hair out!

Not too much info here, so I'm taking a wild guess. I would take a long look at DNS. Let's say that www.mydomain.com == 1.2.3.4. So when stuff is working right, your resolver reports that. When stuff isn't working right, your resolver might be returning, say, 2.3.4.5. You can't ftp to www.mydomain.com during this time because 2.3.4.5 has no ftp server. But if you bypass DNS and ftp to the ip address 1.2.3.4 directly, I'll bet it would work. So you need to use nslookup or dig or whatever your version of unix uses and periodically check www.mydomain.com. When it returns something other than the correct address, a DNS expert needs to figure out why. And capture the bogus ip address and track down the owner.

But then again, it could be something else entirely. This is a wild guess.

i can try this when i encoounter the problem tomorrow morning. Thanks for the info although im quite sure ive tried connecting directly to the IP address i might be mistaken though!

im happy to provide any additional information that you think might help to resolve this, you have provided me with a start which is helpful.

Thank you, ill let you know what i discover..

hi the problem continues. I tried ftp using the ip address but recieve the same msg ' connection closed by remote host' A tracert to the ip address and to the domain name are identical.

if theres any additional info i can provide, please let me know. my hosts have not been able to help solve this one!

My next theory would be an IP address collision. Under this scenario, some other system on the same subnet has the IP address as the system in question. To check this out, you will need to be on the same subnet as the system in question. Display the arp table, probably with the command "arp -a". This will show the mapping between IP addresses and ethernet addresses. Sometimes the ethernet address will be right and sometimes it will be wrong. The solution, of course, will be to give each system a separate IP address.

I don't think this is a spyware problem.

Neo

BTW, I looked at the source and did not see the base reference above in the source code.