[154163] in North American Network Operators' Group
Re: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (Chris Griffin)
Wed Jun 27 01:21:30 2012
From: Chris Griffin <cgriffin@ufl.edu>
In-Reply-To: <FCD26398C5EDE746BFC47F43EA52A17304E0F100@dino.ad.hostasaurus.com>
Date: Wed, 27 Jun 2012 01:20:46 -0400
To: David Hubbard <dhubbard@dino.hostasaurus.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Also shows a redirect if you use bing.com or yahoo.com (and probably =
others) but not, for instance, blah.com...
Tnx
Chris
On Jun 27, 2012, at 1:13 AM, David Hubbard wrote:
> Well as Jeremy pointed out, your site is issuing
> redirects, he gave you the command to show it:
>=20
> curl -e 'http://google.com' csulb.edu
>=20
> So if you're sure your server(s) haven't been hacked,
> your application appears to have been hacked. It only
> issues the redirect if the visitor comes in from a
> google search.
>=20
>=20
>=20
>=20
>> -----Original Message-----
>> From: Matthew Black [mailto:Matthew.Black@csulb.edu]=20
>> Sent: Wednesday, June 27, 2012 1:03 AM
>> To: Michael J Wise
>> Cc: nanog@nanog.org
>> Subject: RE: DNS poisoning at Google?
>>=20
>> Q:have you consulted the logs?
>>=20
>> Seriously? Our servers have multiple log files due to=20
>> multiple virtual hosts. Our primary domain log file on just=20
>> one server has over 600,000 records x 3 servers.
>>=20
>> Probably over 100,000 304 redirects in our logs.
>>=20
>> couchtarts.com does not appear in our log files.
>>=20
>>=20
>> matthew black
>> information technology services
>> california state university, long beach
>>=20
>> -----Original Message-----
>> From: Michael J Wise [mailto:mjwise@kapu.net]=20
>> Sent: Tuesday, June 26, 2012 9:56 PM
>> To: Matthew Black
>> Cc: nanog@nanog.org
>> Subject: Re: DNS poisoning at Google?
>>=20
>>=20
>> On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:
>>=20
>>> Yes, we've used the Google Webmaster Tools a lot today.=20
>> Submitted multiple requests and they keep insisting that our=20
>> site issues a redirect. Unable to duplicate the problem here.
>>=20
>> ... have you consulted the logs?
>> If the redirect is there, it ... 1) might not be from the=20
>> home page, and 2) could be in ... user content?
>>=20
>> awk '{if ($9 ~ /304/) { print $0 }}' access_log.
>> ... or some such.
>> Granted, might be a storm of " " -> index.html redirects, but=20
>> they should be grep -v 'able in short order.
>> You might also look for the rDNS of the Google spider to see=20
>> exactly where it is looking, and what it sees.
>>=20
>> Aloha,
>> Michael.
>> --=20
>> "Please have your Internet License =20
>> and Usenet Registration handy..."
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>=20
---
Chris Griffin cgriffin@ufl.edu
Sr. Network Engineer - CCNP Phone: (352) 273-1051
CNS - Network Services Fax: (352) 392-9440
University of Florida/FLR Gainesville, FL 32611
