[154154] in North American Network Operators' Group
Re: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (Jeremy Hanmer)
Wed Jun 27 00:59:29 2012
From: Jeremy Hanmer <jeremy@hq.newdream.net>
In-Reply-To: <ED78B1C68B84A14FA706D13A230D7B431954DDDA@ITS-MAIL01.campus.ad.csulb.edu>
Date: Tue, 26 Jun 2012 21:59:00 -0700
To: Matthew Black <Matthew.Black@csulb.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It's not DNS. If you're sure there's no htaccess files in place, check =
your content (even that stored in a database) for anything that might be =
altering data based on referrer. This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' csulb.edu
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a =
href=3D"http://www.couchtarts.com/media.php">here</a>.</p>
</body></html>
Running curl without the -e argument gives the proper site contents. =20
On Jun 26, 2012, at 9:35 PM, Matthew Black <Matthew.Black@csulb.edu> =
wrote:
> Yes, we=92ve used the Google Webmaster Tools a lot today. Submitted =
multiple requests and they keep insisting that our site issues a =
redirect. Unable to duplicate the problem here.
>=20
> matthew black
> information technology services
> california state university, long beach
>=20
> From: Ishmael Rufus [mailto:sakamura@gmail.com]
> Sent: Tuesday, June 26, 2012 9:34 PM
> To: Matthew Black
> Cc: David Hubbard; nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>=20
> Have you tried using Google Webmaster tools?
> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black =
<Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>> wrote:
> Running Apache on three Solaris servers behind a load balancer.
>=20
> I forgot how to lookup our AS number to see if it matches couchtarts.
>=20
> matthew black
> information technology services
> california state university, long beach
>=20
> -----Original Message-----
> From: David Hubbard =
[mailto:dhubbard@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus.com=
>]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: RE: DNS poisoning at Google?
>=20
> Typically if google were pulling your site sometimes from the wrong =
IP, their safe browsing page should indicate it being on another AS =
number in addition to the correct one 2152:
>=20
> =
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=3Dhttp=
> ://www.csulb.edu<http://www.csulb.edu>
>=20
> For example, the couchtarts site they claim yours is redirecting to:
>=20
> =
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=3Dhttp=
> ://www.couchtarts.com<http://www.couchtarts.com>
>=20
> That site's DNS is screwed up and some requests are sent to a =
different IP at a different host, so Google picked up both AS numbers.
>=20
> Could one of your domain's subdomains be what is actually infected? =
You seem to have a bunch of them, maybe google is penalizing the whole =
domain over a subdomain? Not sure if they do that or not.
>=20
> If your sites are running off of an application like wordpress, etc., =
you may not get the same page that google gets and the application may =
have been hacked.
> Here's a wget command you can use to make requests to your site =
pretending to be google:
>=20
> wget -c \
> --user-agent=3D"Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=3Dgooglebot.html 'http://www.csulb.edu'
>=20
> nanog will probably line wrap that user agent line making it not =
correct so you'll have to put it back together correctly. It will save =
the output to a file named googlebot.html you can look at to see if =
anything weird ends up being served.
>=20
> David
>=20
>=20
>> -----Original Message-----
>> From: Matthew Black =
[mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>]
>> Sent: Tuesday, June 26, 2012 11:53 PM
>> To: nanog@nanog.org<mailto:nanog@nanog.org>
>> Subject: DNS poisoning at Google?
>>=20
>> Google Safe Browsing and Firefox have marked our website as =
containing
>> malware. They claim our home page returns no results, but redirects
>> users to another compromised website =
couchtarts.com<http://couchtarts.com>.
>>=20
>> We have thoroughly examined our root .htaccess and httpd.conf files
>> and are not redirecting to the problem target site. No recent changes
>> either.
>>=20
>> We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>>=20
>> We believe the DNS servers used by Google's crawler have been
>> poisoned.
>>=20
>> Can anyone shed some light on this?
>>=20
>> matthew black
>> information technology services
>> california state university, long beach
>> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>>=20
>>=20
>>=20
>=20
>=20
>=20
>=20
