[154161] in North American Network Operators' Group
Re: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Wed Jun 27 01:17:27 2012
In-Reply-To: <CAL-SDLFyAH+q38P3yCCAqOmLkrj7nNvtVnSws1k0TwExqzE=Ww@mail.gmail.com>
Date: Wed, 27 Jun 2012 01:16:54 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Ishmael Rufus <sakamura@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
Jeremy Hanmer <jeremy.hanmer@dreamhost.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
for example, from the commandline with telnet:
morrowc@teensy:~$ telnet www.csulb.edu 80
Trying 134.139.1.60...
Connected to gaggle.its.csulb.edu.
Escape character is '^]'.
GET / HTTP/1.0
Host: www.csulb.edu
Referer: http://www.google.com/
HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:04:04 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Content-Length: 243
Connection: close
Content-Type: text/html; charset=3Diso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a
href=3D"http://www.couchtarts.com/media.php">here</a>.</p>
</body></html>
Connection closed by foreign host.
oops :( fail.
On Wed, Jun 27, 2012 at 1:13 AM, Ishmael Rufus <sakamura@gmail.com> wrote:
> Invoking the referrer on your site recommends a redirect to couchtarts. I
> agree with Jeremy and Jeff check your htaccess files, conf files and
> anything that =A0calls RewriteCond or Rewrite
>
> On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black <Matthew.Black@csulb.edu>=
wrote:
>
>> Google Webtools reports a problem with our HOMEPAGE "/". That page is no=
t
>> redirecting anywhere.
>> They also report problems with some 48 other primary sites, none of whic=
h
>> redirect to the offending couchtarts.
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: Jeremy Hanmer [mailto:jeremy.hanmer@dreamhost.com]
>> Sent: Tuesday, June 26, 2012 9:58 PM
>> To: Matthew Black
>> Cc: nanog@nanog.org
>> Subject: Re: DNS poisoning at Google?
>>
>> It's not DNS. =A0If you're sure there's no htaccess files in place, chec=
k
>> your content (even that stored in a database) for anything that might be
>> altering data based on referrer. =A0This simple test shows what I mean:
>>
>> Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC
>> "-//IETF//DTD HTML 2.0//EN"> <html><head>
>> <title>301 Moved Permanently</title>
>> </head><body>
>> <h1>Moved Permanently</h1>
>> <p>The document has moved <a href=3D"http://www.couchtarts.com/media.php
>> ">here</a>.</p>
>> </body></html>
>>
>> Running curl without the -e argument gives the proper site contents.
>>
>> On Jun 26, 2012, at 9:24 PM, Matthew Black <Matthew.Black@csulb.edu>
>> wrote:
>>
>> > Running Apache on three Solaris webservers behind a load balancer. No =
MS
>> Windows!
>> >
>> > Not sure how malicious software could get between our load balancer an=
d
>> Unix servers. Thanks for the tip!
>> >
>> > matthew black
>> > information technology services
>> > california state university, long beach
>> >
>> >
>> >
>> > From: Landon Stewart [mailto:lstewart@superb.net]
>> > Sent: Tuesday, June 26, 2012 9:07 PM
>> > To: Matthew Black
>> > Cc: nanog@nanog.org
>> > Subject: Re: DNS poisoning at Google?
>> >
>> > Is it possible that some malicious software is listening and injecting=
a
>> redirect on the wire? =A0We've seen this before with a Windows machine b=
eing
>> infected.
>> > On 26 June 2012 20:53, Matthew Black <Matthew.Black@csulb.edu<mailto:
>> Matthew.Black@csulb.edu>> wrote:
>> > Google Safe Browsing and Firefox have marked our website as containing
>> malware. They claim our home page returns no results, but redirects user=
s
>> to another compromised website couchtarts.com<http://couchtarts.com>.
>> >
>> > We have thoroughly examined our root .htaccess and httpd.conf files an=
d
>> are not redirecting to the problem target site. No recent changes either=
.
>> >
>> > We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>> >
>> > We believe the DNS servers used by Google's crawler have been poisoned=
.
>> >
>> > Can anyone shed some light on this?
>> >
>> > matthew black
>> > information technology services
>> > california state university, long beach
>> > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>> >
>> >
>> >
>> > --
>> > Landon Stewart <LStewart@Superb.Net<mailto:LStewart@Superb.Net>>
>> > Sr. Administrator
>> > Systems Engineering
>> > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead
>> > of the Rest":
>> > http://www.superbhosting.net<http://www.superbhosting.net/>
>> >
>>
>>
>>
>>
>>
