[154158] in North American Network Operators' Group
RE: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (Matthew Black)
Wed Jun 27 01:14:28 2012
From: Matthew Black <Matthew.Black@csulb.edu>
To: Jeremy Hanmer <jeremy@hq.newdream.net>
Date: Wed, 27 Jun 2012 05:13:45 +0000
In-Reply-To: <7C8D73E5-9043-4D9A-A541-612138163763@hq.newdream.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I'm not familiar with curl and don't understand what I type and what are re=
sults. Are you suggesting that when google refers to our website, we pick t=
hat up and redirect to couchtarts?
matthew black
information technology services
california state university, long beach
-----Original Message-----
From: Jeremy Hanmer [mailto:jeremy@hq.newdream.net]=20
Sent: Tuesday, June 26, 2012 9:59 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check you=
r content (even that stored in a database) for anything that might be alter=
ing data based on referrer. This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-=
//IETF//DTD HTML 2.0//EN"> <html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href=3D"http://www.couchtarts.com/media.php">h=
ere</a>.</p>
</body></html>
Running curl without the -e argument gives the proper site contents. =20
On Jun 26, 2012, at 9:35 PM, Matthew Black <Matthew.Black@csulb.edu> wrote:
> Yes, we've used the Google Webmaster Tools a lot today. Submitted multipl=
e requests and they keep insisting that our site issues a redirect. Unable =
to duplicate the problem here.
>=20
> matthew black
> information technology services
> california state university, long beach
>=20
> From: Ishmael Rufus [mailto:sakamura@gmail.com]
> Sent: Tuesday, June 26, 2012 9:34 PM
> To: Matthew Black
> Cc: David Hubbard; nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>=20
> Have you tried using Google Webmaster tools?
> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black <Matthew.Black@csulb.edu<=
mailto:Matthew.Black@csulb.edu>> wrote:
> Running Apache on three Solaris servers behind a load balancer.
>=20
> I forgot how to lookup our AS number to see if it matches couchtarts.
>=20
> matthew black
> information technology services
> california state university, long beach
>=20
> -----Original Message-----
> From: David Hubbard=20
> [mailto:dhubbard@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus
> .com>]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: RE: DNS poisoning at Google?
>=20
> Typically if google were pulling your site sometimes from the wrong IP, t=
heir safe browsing page should indicate it being on another AS number in ad=
dition to the correct one 2152:
>=20
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=3Dht
> tp ://www.csulb.edu<http://www.csulb.edu>
>=20
> For example, the couchtarts site they claim yours is redirecting to:
>=20
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=3Dht
> tp ://www.couchtarts.com<http://www.couchtarts.com>
>=20
> That site's DNS is screwed up and some requests are sent to a different I=
P at a different host, so Google picked up both AS numbers.
>=20
> Could one of your domain's subdomains be what is actually infected? You =
seem to have a bunch of them, maybe google is penalizing the whole domain o=
ver a subdomain? Not sure if they do that or not.
>=20
> If your sites are running off of an application like wordpress, etc., you=
may not get the same page that google gets and the application may have be=
en hacked.
> Here's a wget command you can use to make requests to your site pretendin=
g to be google:
>=20
> wget -c \
> --user-agent=3D"Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=3Dgooglebot.html 'http://www.csulb.edu'
>=20
> nanog will probably line wrap that user agent line making it not correct =
so you'll have to put it back together correctly. It will save the output =
to a file named googlebot.html you can look at to see if anything weird end=
s up being served.
>=20
> David
>=20
>=20
>> -----Original Message-----
>> From: Matthew Black=20
>> [mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>]
>> Sent: Tuesday, June 26, 2012 11:53 PM
>> To: nanog@nanog.org<mailto:nanog@nanog.org>
>> Subject: DNS poisoning at Google?
>>=20
>> Google Safe Browsing and Firefox have marked our website as=20
>> containing malware. They claim our home page returns no results, but=20
>> redirects users to another compromised website couchtarts.com<http://cou=
chtarts.com>.
>>=20
>> We have thoroughly examined our root .htaccess and httpd.conf files=20
>> and are not redirecting to the problem target site. No recent changes=20
>> either.
>>=20
>> We ran some NSLOOKUPs against various public DNS servers and=20
>> intermittently get results that are NOT our servers.
>>=20
>> We believe the DNS servers used by Google's crawler have been=20
>> poisoned.
>>=20
>> Can anyone shed some light on this?
>>=20
>> matthew black
>> information technology services
>> california state university, long beach=20
>> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>>=20
>>=20
>>=20
>=20
>=20
>=20
>=20
