[154143] in North American Network Operators' Group
Re: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (Kevin Day)
Wed Jun 27 00:22:06 2012
From: Kevin Day <toasty@dragondata.com>
In-Reply-To: <ED78B1C68B84A14FA706D13A230D7B431954DB1B@ITS-MAIL01.campus.ad.csulb.edu>
Date: Tue, 26 Jun 2012 23:21:21 -0500
To: Matthew Black <Matthew.Black@csulb.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jun 26, 2012, at 10:53 PM, Matthew Black wrote:
> Google Safe Browsing and Firefox have marked our website as containing =
malware. They claim our home page returns no results, but redirects =
users to another compromised website couchtarts.com.
>=20
> We have thoroughly examined our root .htaccess and httpd.conf files =
and are not redirecting to the problem target site. No recent changes =
either.
>=20
> We ran some NSLOOKUPs against various public DNS servers and =
intermittently get results that are NOT our servers.
>=20
> We believe the DNS servers used by Google's crawler have been =
poisoned.
>=20
> Can anyone shed some light on this?
Not sure if it's related, but yesterday one of my clients (a top 500 =
alexa site) suddenly had most search results (when googling for things =
like the site's name) suddenly change to some other shady looking domain =
that's just sending 302 redirects to the real site. All the same search =
results are there, but they're now sending everyone to the wrong domain =
that's just redirecting to the correct place. No idea how Google thought =
this is correct and I'm totally failing at getting anyone's attention at =
Google to look into this.
This coincided with this message from @google on twitter yesterday:
Heads up: we're pushing a new Panda data refresh that noticeably affects =
only ~1% of queries worldwide.
http://twitter.com/google/status/217366321879453696
But i'm not sure that's related either.
-- Kevin
