Topclicks.net Problem

This one's new to me. Here at work, it appears, we may have been hit by some sort of spyware program. But this is strange. It doesn't just pop up an ad for topclicks.net, I actually can't access CPAN [www.cpan.org]. Instead, I get that crap topclicks.net garbage in place of CPAN, PLUS a pop-up window. I've tried several different PCs, and they all seem to be affected. I have successfully accessed CPAN from this and other PCs here before. Anyone know what's going on? Unfortunately.. I have no registry access or anything, so installing Ad-Aware and whatnot won't help me - that's up to the Tech folks in IT. I'm just wondering why the hell it's loading topclicks.net in place of CPAN?? I've never seen that before..

[edit]
Bummer... something must've happened on CPAN's end. I can't duplicate the problem with any other sites
[/edit]

cpan is fine here. What IP do you get when you ping it?

I get 209.104.63.56 (though they may have mirrors set up. . )

Have you looked at your HOSTS file? Some crapware will install entries there to mess you up. . . What OS are you on?

Have you installed anything like kazaa, gator, or bonzi buddy recently? What was the last thing you installed?

****e.... we got screwed. It's giving me a different IP (each one for topclicks.net) on each ping. Wonder who installed what....

Thanks for verifying that for me Hero. I'm turning it over to the IT folks to let them weed out the culprit.

I haven't actually installed anything recently. It seems like everyone on our network is suffering from this. Unfortunately, we're using WinNT, and I have no privileges that would allow me to do any of the troubleshooting on my own.. not that I'd know how on this OS anyway...

The only thins in HOSTS is localhost's entry, though.

Are you using any DNS or proxy server? As several boxes get the same result, that might be something worth checking out...

//NoXcuz

Ugh.. it looks like the Bertelsmann DNS servers got hijacked. We're just going to wait it out for about 24 hours and see if it gets taken care of one it's own... stupid spamming bastards...

Thanks for your help with this guys!

That actually happened to me at work a few weeks ago. I couldn't get to any devshed.com domain. Someone had highjacked a DNS lookup server or something and I was always put to topclicks.net. Happened for a few other sites too.

for those who may be interested...
this website topclicks.net (not to be confused with topclicks.com)
is hosted by rackshack.net which in turn is owned by URL aka 'everyones internet', out of houston texas
they wont take phone calls but do have an abuse email (which will be ignored, from my experiance)
they appear to cater to this type of low life and i for one will do them dirt every chance i get.
i found 16 rouge dns servers claiming auth. for other peoples domains, on just one of their subnets
they are using wild cards to declare themselves auth for everything.
their affiliate numbers are in the links on the pages they send you too. the affiliate numbers sometimes differ for the same links and why so many dns servers? also the methods used and the end result has changed.

secondly, i suggest you check your logs very thourghly. i have seen events in some logs that lead me to believe they are also trying to harvest email addresses with this technique.
please look at your logs and think it thru very carefully. they arent actualy making any money unless someone clicks the links on the page you are redirected to.

next consider they are not trying to filter out none unique addresses (which means they will be penalized by most affilate programs). it may be just a redirect scheme to gather click thrus but the way its been done i serously doubt that it could pay for itself.

as a scheme to generate commercial email lists it would be increadibly effect and cost effecient
while this is going on (the redirect) he is getting a great deal of information. Because everything on the network is talking to his name servers for every lookup including email.

is it reasonable to believe every bussiness that experianced this also had users that tried to send email to those domains they couldnt browse to? (in addition to the normal traffic)
did anyone else notice the asshole had an email server running at the same ip addresses he was redirecting us to?
did anyone else experiance small spikes in the email quese?

i am guessing we will see a very dramatic increase in spam to our domains and to the domains we send most of our traffic to.

i would like to point out that their appears to be more care in the way this person handled the 'other' traffic. there seems to be an attitude of not caring that we know he is highjacking our browsers but the other traffic we logicaly know would have had to been sent to him seems to have eventualy made it thru?

did he actualy accept the traffic and do anyhting with it? if he did, in what manner? why have an email server responding to those ip's?it dosnt seem logical to me that he did such a poor job on the browser hijack but was so considerate on the email.
which leads me to wonder, what information did he get? did he copy the whole thing? or just parse headers for addresses to a database?
anyhow i would be interested in what others think

altlewis I just skimmed thru you post, but let me tell you this - there is no way in hell rackshack would be responsible for anything like this. They are, by far, the biggest dedicated hosting company in the world signing up tens of thousands boxes. They don't need this sort of attention.

i am not saying they did it. i am saying they make it possible and they dont take steps to resolve in a decent manner. i am accusing them of stalling so they can keep the customer as long as possible.
maybe others dissagree, but if your customer has highjacked my internet traffic how can i email you? simple i cant. but that is the only method of contact they will ALLOW for their none customers to complain about one of there clients.
i never said they were doing these things with the dns service i said one of there customers was and they wouldnt do anthing about it.
to be more specific
the ips for the redirect are in a range they resell, they are not always the same ip but they do allways belong to everyones internet. get the link?
secondly it dos appear to be multiple schemes and the worse appear to be an affilate of the topclicks.net program.
the topclicks.net program exhibits different behavoir. and one of their affilates is doing some realy not nice stuff.
BUT ITS ALL HOSTED BY RACKSHACK.NET which in turn is EVERYONES INTERNET
and i dont care how big they are if you resell that much power, it should be possible to call you and tell you your customer is screwing over thousands of people. i shouldnt have to debate the subject in email with you, you should be able to look in your logs and see i am telling the truth and shut that customer down!!!

What other Bad Guy servers / sites are they running besides topclicks.net.

Besides... technically, there's nothing illegal about what they appear doing AFAIK - just immoral and incredibly infuriating. I don't think it's really Rackshacks obligation to stop them unless they decide to take a moral stand. But hey, money talks

But then, it seems that we're just getting started when it comes to immoral / unfair marketing practices. Thank god for Linux/Mozilla.

tollbar hijacking... lol...
Well, at least one good news today - aol declared 100 billion loss last year

I WORK FOR A COMPANY THEY OWN! Good news is relative...

Maybe they will cut down on the number of CD's they mail out to people.....