[154147] in North American Network Operators' Group
Re: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (Sadiq Saif)
Wed Jun 27 00:34:23 2012
In-Reply-To: <ED78B1C68B84A14FA706D13A230D7B431954DD60@ITS-MAIL01.campus.ad.csulb.edu>
From: Sadiq Saif <sadiq@asininetech.com>
Date: Wed, 27 Jun 2012 00:33:24 -0400
To: Matthew Black <Matthew.Black@csulb.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
couchtarts.com seems to be hosted on a IP belonging to AS32244 (Liquid Web)=
.
On Wed, Jun 27, 2012 at 12:28 AM, Matthew Black <Matthew.Black@csulb.edu> w=
rote:
> Running Apache on three Solaris servers behind a load balancer.
>
> I forgot how to lookup our AS number to see if it matches couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
> -----Original Message-----
> From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org
> Subject: RE: DNS poisoning at Google?
>
> Typically if google were pulling your site sometimes from the wrong IP, t=
heir safe browsing page should indicate it being on another AS number in ad=
dition to the correct one 2152:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=3Dhtt=
p
> ://www.csulb.edu
>
> For example, the couchtarts site they claim yours is redirecting to:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=3Dhtt=
p
> ://www.couchtarts.com
>
> That site's DNS is screwed up and some requests are sent to a different I=
P at a different host, so Google picked up both AS numbers.
>
> Could one of your domain's subdomains be what is actually infected? =C2=
=A0You seem to have a bunch of them, maybe google is penalizing the whole d=
omain over a subdomain? =C2=A0Not sure if they do that or not.
>
> If your sites are running off of an application like wordpress, etc., you=
may not get the same page that google gets and the application may have be=
en hacked.
> Here's a wget command you can use to make requests to your site pretendin=
g to be google:
>
> wget -c \
> --user-agent=3D"Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=3Dgooglebot.html 'http://www.csulb.edu'
>
> nanog will probably line wrap that user agent line making it not correct =
so you'll have to put it back together correctly. =C2=A0It will save the ou=
tput to a file named googlebot.html you can look at to see if anything weir=
d ends up being served.
>
> David
>
>
>> -----Original Message-----
>> From: Matthew Black [mailto:Matthew.Black@csulb.edu]
>> Sent: Tuesday, June 26, 2012 11:53 PM
>> To: nanog@nanog.org
>> Subject: DNS poisoning at Google?
>>
>> Google Safe Browsing and Firefox have marked our website as containing
>> malware. They claim our home page returns no results, but redirects
>> users to another compromised website couchtarts.com.
>>
>> We have thoroughly examined our root .htaccess and httpd.conf files
>> and are not redirecting to the problem target site. No recent changes
>> either.
>>
>> We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>>
>> We believe the DNS servers used by Google's crawler have been
>> poisoned.
>>
>> Can anyone shed some light on this?
>>
>> matthew black
>> information technology services
>> california state university, long beach
>> www.csulb.edu<http://www.csulb.edu>
>>
>>
>>
>
>
>
>
--=20
Sadiq S
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
