[154170] in North American Network Operators' Group
RE: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (Matthew Black)
Wed Jun 27 01:41:06 2012
From: Matthew Black <Matthew.Black@csulb.edu>
To: Landon Stewart <lstewart@superb.net>
Date: Wed, 27 Jun 2012 05:40:22 +0000
In-Reply-To: <CABgOHgt6_irJxyug9+zY+0-P==ywnuRCCOqroh=DMMttfe37WA@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
Jeremy Hanmer <jeremy.hanmer@dreamhost.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks again to everyone who helped. I didn't know what to enter with curl,=
because Outlook clobbered the line breaks in Jeremy's original message.
Also, curl failed on our primary webserver because of firewall and load bal=
ancer magic settings. The Telnet method worked better!
Our team is now scouring for that hidden redirect to couchtarts.
matthew black
information technology services
california state university, long beach
From: Landon Stewart [mailto:lstewart@superb.net]
Sent: Tuesday, June 26, 2012 10:37 PM
To: Matthew Black
Cc: Jeremy Hanmer; nanog@nanog.org
Subject: Re: DNS poisoning at Google?
There is definitely a 301 redirect.
$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:36:31 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Connection: close
Content-Type: text/html; charset=3Diso-8859-1
On 26 June 2012 22:05, Matthew Black <Matthew.Black@csulb.edu<mailto:Matthe=
w.Black@csulb.edu>> wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not r=
edirecting anywhere.
They also report problems with some 48 other primary sites, none of which r=
edirect to the offending couchtarts.
matthew black
information technology services
california state university, long beach
-----Original Message-----
From: Jeremy Hanmer [mailto:jeremy.hanmer@dreamhost.com<mailto:jeremy.hanme=
r@dreamhost.com>]
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check you=
r content (even that stored in a database) for anything that might be alter=
ing data based on referrer. This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' csulb.edu<http://csulb.edu> <!DOCT=
YPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href=3D"http://www.couchtarts.com/media.php">h=
ere</a>.</p>
</body></html>
Running curl without the -e argument gives the proper site contents.
On Jun 26, 2012, at 9:24 PM, Matthew Black <Matthew.Black@csulb.edu<mailto:=
Matthew.Black@csulb.edu>> wrote:
> Running Apache on three Solaris webservers behind a load balancer. No MS =
Windows!
>
> Not sure how malicious software could get between our load balancer and U=
nix servers. Thanks for the tip!
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart [mailto:lstewart@superb.net<mailto:lstewart@superb.n=
et>]
> Sent: Tuesday, June 26, 2012 9:07 PM
> To: Matthew Black
> Cc: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: Re: DNS poisoning at Google?
>
> Is it possible that some malicious software is listening and injecting a =
redirect on the wire? We've seen this before with a Windows machine being =
infected.
> On 26 June 2012 20:53, Matthew Black <Matthew.Black@csulb.edu<mailto:Matt=
hew.Black@csulb.edu><mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@cs=
ulb.edu>>> wrote:
> Google Safe Browsing and Firefox have marked our website as containing ma=
lware. They claim our home page returns no results, but redirects users to =
another compromised website couchtarts.com<http://couchtarts.com><http://co=
uchtarts.com>.
>
> We have thoroughly examined our root .htaccess and httpd.conf files and a=
re not redirecting to the problem target site. No recent changes either.
>
> We ran some NSLOOKUPs against various public DNS servers and intermittent=
ly get results that are NOT our servers.
>
> We believe the DNS servers used by Google's crawler have been poisoned.
>
> Can anyone shed some light on this?
>
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu><http://www.csul=
b.edu>
>
>
>
> --
> Landon Stewart <LStewart@Superb.Net<mailto:LStewart@Superb.Net<mailto:LSt=
ewart@Superb.Net>>>
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199<tel:888-354-6128%20x%204199> W=
eb hosting and more "Ahead
> of the Rest":
> http://www.superbhosting.net<http://www.superbhosting.net/>
>
--
Landon Stewart <LStewart@Superb.Net<mailto:LStewart@Superb.Net>>
Sr. Administrator
Systems Engineering
Superb Internet Corp - 888-354-6128 x 4199
Web hosting and more "Ahead of the Rest": http://www.superbhosting.net<http=
://www.superbhosting.net/>
