[154146] in North American Network Operators' Group
RE: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (Matthew Black)
Wed Jun 27 00:29:35 2012
From: Matthew Black <Matthew.Black@csulb.edu>
To: David Hubbard <dhubbard@dino.hostasaurus.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Wed, 27 Jun 2012 04:28:52 +0000
In-Reply-To: <FCD26398C5EDE746BFC47F43EA52A17305752A78@dino.ad.hostasaurus.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Running Apache on three Solaris servers behind a load balancer.
I forgot how to lookup our AS number to see if it matches couchtarts.
matthew black
information technology services
california state university, long beach
-----Original Message-----
From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com]=20
Sent: Tuesday, June 26, 2012 9:14 PM
To: nanog@nanog.org
Subject: RE: DNS poisoning at Google?
Typically if google were pulling your site sometimes from the wrong IP, the=
ir safe browsing page should indicate it being on another AS number in addi=
tion to the correct one 2152:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=3Dhttp
://www.csulb.edu
For example, the couchtarts site they claim yours is redirecting to:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=3Dhttp
://www.couchtarts.com
That site's DNS is screwed up and some requests are sent to a different IP =
at a different host, so Google picked up both AS numbers.
Could one of your domain's subdomains be what is actually infected? You se=
em to have a bunch of them, maybe google is penalizing the whole domain ove=
r a subdomain? Not sure if they do that or not.
If your sites are running off of an application like wordpress, etc., you m=
ay not get the same page that google gets and the application may have been=
hacked.
Here's a wget command you can use to make requests to your site pretending =
to be google:
wget -c \
--user-agent=3D"Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)" \
--output-document=3Dgooglebot.html 'http://www.csulb.edu'
nanog will probably line wrap that user agent line making it not correct so=
you'll have to put it back together correctly. It will save the output to=
a file named googlebot.html you can look at to see if anything weird ends =
up being served.
David
> -----Original Message-----
> From: Matthew Black [mailto:Matthew.Black@csulb.edu]
> Sent: Tuesday, June 26, 2012 11:53 PM
> To: nanog@nanog.org
> Subject: DNS poisoning at Google?
>=20
> Google Safe Browsing and Firefox have marked our website as containing=20
> malware. They claim our home page returns no results, but redirects=20
> users to another compromised website couchtarts.com.
>=20
> We have thoroughly examined our root .htaccess and httpd.conf files=20
> and are not redirecting to the problem target site. No recent changes=20
> either.
>=20
> We ran some NSLOOKUPs against various public DNS servers and=20
> intermittently get results that are NOT our servers.
>=20
> We believe the DNS servers used by Google's crawler have been=20
> poisoned.
>=20
> Can anyone shed some light on this?
>=20
> matthew black
> information technology services
> california state university, long beach=20
> www.csulb.edu<http://www.csulb.edu>
>=20
>=20
>=20
