[154176] in North American Network Operators' Group
Re: DNS poisoning at Google?
daemon@ATHENA.MIT.EDU (Bryan Irvine)
Wed Jun 27 03:09:54 2012
In-Reply-To: <ED78B1C68B84A14FA706D13A230D7B431954F436@ITS-MAIL01.campus.ad.csulb.edu>
From: Bryan Irvine <sparctacus@gmail.com>
Date: Wed, 27 Jun 2012 00:09:11 -0700
To: Matthew Black <Matthew.Black@csulb.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
Jeremy Hanmer <jeremy.hanmer@dreamhost.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The fun part will be figuring out how it got there. :)
Sent from my iPhone
On Jun 27, 2012, at 12:06 AM, Matthew Black <Matthew.Black@csulb.edu> wrote:=
> We found the aberrant .htaccess file and have removed it. What a mess!
>=20
> matthew black
> information technology services
> california state university, long beach
>=20
> From: Grant Ridder [mailto:shortdudey123@gmail.com]
> Sent: Tuesday, June 26, 2012 11:02 PM
> To: Matthew Black; nanog@nanog.org
> Cc: Jeremy Hanmer
> Subject: Re: DNS poisoning at Google?
>=20
> It also redirects with facebook, youtube, and ebay but NOT amazon.
>=20
> -Grant
>=20
> On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black <Matthew.Black@csulb.edu<m=
ailto:Matthew.Black@csulb.edu>> wrote:
> Our web lead was able to run curl. Thanks.
>=20
> matthew black
> information technology services
> california state university, long beach
>=20
> From: Grant Ridder [mailto:shortdudey123@gmail.com<mailto:shortdudey123@gm=
ail.com>]
> Sent: Tuesday, June 26, 2012 10:53 PM
> To: Matthew Black
> Cc: Landon Stewart; nanog@nanog.org<mailto:nanog@nanog.org>; Jeremy Hanmer=
>=20
> Subject: Re: DNS poisoning at Google?
>=20
> Matt, what happens you get on a subnet that can access the webservers dire=
ctly and bypass the load balancer. Try curl then and see if its something w=
/ the webserver or load balancer.
>=20
> -Grant
> On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black <Matthew.Black@csulb.edu<m=
ailto:Matthew.Black@csulb.edu>> wrote:
> Thanks again to everyone who helped. I didn't know what to enter with curl=
, because Outlook clobbered the line breaks in Jeremy's original message.
>=20
> Also, curl failed on our primary webserver because of firewall and load ba=
lancer magic settings. The Telnet method worked better!
>=20
> Our team is now scouring for that hidden redirect to couchtarts.
>=20
> matthew black
> information technology services
> california state university, long beach
>=20
> From: Landon Stewart [mailto:lstewart@superb.net<mailto:lstewart@superb.ne=
t>]
> Sent: Tuesday, June 26, 2012 10:37 PM
> To: Matthew Black
> Cc: Jeremy Hanmer; nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: Re: DNS poisoning at Google?
> There is definitely a 301 redirect.
>=20
> $ curl -I --referer http://www.google.com/ http://www.csulb.edu/
> HTTP/1.1<http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently
> Date: Wed, 27 Jun 2012 05:36:31 GMT
> Server: Apache/2.0.63
> Location: http://www.couchtarts.com/media.php
> Connection: close
> Content-Type: text/html; charset=3Diso-8859-1
> On 26 June 2012 22:05, Matthew Black <Matthew.Black@csulb.edu<mailto:Matth=
ew.Black@csulb.edu><mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@csul=
b.edu>>> wrote:
> Google Webtools reports a problem with our HOMEPAGE "/". That page is not r=
edirecting anywhere.
> They also report problems with some 48 other primary sites, none of which r=
edirect to the offending couchtarts.
>=20
> matthew black
> information technology services
> california state university, long beach
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: Jeremy Hanmer [mailto:jeremy.hanmer@dreamhost.com<mailto:jeremy.hanm=
er@dreamhost.com><mailto:jeremy.hanmer@dreamhost.com<mailto:jeremy.hanmer@dr=
eamhost.com>>]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
> Cc: nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:=
nanog@nanog.org>>
> Subject: Re: DNS poisoning at Google?
> It's not DNS. If you're sure there's no htaccess files in place, check yo=
ur content (even that stored in a database) for anything that might be alter=
ing data based on referrer. This simple test shows what I mean:
> Airy:~ user$ curl -e 'http://google.com' csulb.edu<http://csulb.edu><http:=
//csulb.edu> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>=
> <title>301 Moved Permanently</title>
> </head><body>
> <h1>Moved Permanently</h1>
> <p>The document has moved <a href=3D"http://www.couchtarts.com/media.php">=
here</a>.</p>
> </body></html>
>=20
> Running curl without the -e argument gives the proper site contents.
> On Jun 26, 2012, at 9:24 PM, Matthew Black <Matthew.Black@csulb.edu<mailto=
:Matthew.Black@csulb.edu><mailto:Matthew.Black@csulb.edu<mailto:Matthew.Blac=
k@csulb.edu>>> wrote:
>=20
>> Running Apache on three Solaris webservers behind a load balancer. No MS W=
indows!
>>=20
>> Not sure how malicious software could get between our load balancer and U=
nix servers. Thanks for the tip!
>>=20
>> matthew black
>> information technology services
>> california state university, long beach
>>=20
>>=20
>>=20
>> From: Landon Stewart [mailto:lstewart@superb.net<mailto:lstewart@superb.n=
et><mailto:lstewart@superb.net<mailto:lstewart@superb.net>>]
>> Sent: Tuesday, June 26, 2012 9:07 PM
>> To: Matthew Black
>> Cc: nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto=
:nanog@nanog.org>>
>> Subject: Re: DNS poisoning at Google?
>>=20
>> Is it possible that some malicious software is listening and injecting a r=
edirect on the wire? We've seen this before with a Windows machine being in=
fected.
>> On 26 June 2012 20:53, Matthew Black <Matthew.Black@csulb.edu<mailto:Matt=
hew.Black@csulb.edu><mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@csu=
lb.edu>><mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu><mail=
to:Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>>>> wrote:
>> Google Safe Browsing and Firefox have marked our website as containing ma=
lware. They claim our home page returns no results, but redirects users to a=
nother compromised website couchtarts.com<http://couchtarts.com><http://couc=
htarts.com><http://couchtarts.com>.
>>=20
>> We have thoroughly examined our root .htaccess and httpd.conf files and a=
re not redirecting to the problem target site. No recent changes either.
>>=20
>> We ran some NSLOOKUPs against various public DNS servers and intermittent=
ly get results that are NOT our servers.
>>=20
>> We believe the DNS servers used by Google's crawler have been poisoned.
>>=20
>> Can anyone shed some light on this?
>>=20
>> matthew black
>> information technology services
>> california state university, long beach
>> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu><http://www.csul=
b.edu><http://www.csulb.edu>
>>=20
>>=20
>>=20
>> --
>> Landon Stewart <LStewart@Superb.Net<mailto:LStewart@Superb.Net<mailto:LSt=
ewart@Superb.Net><mailto:LStewart@Superb.Net<mailto:LStewart@Superb.Net>>>>
>> Sr. Administrator
>> Systems Engineering
>> Superb Internet Corp - 888-354-6128 x 4199<tel:888-354-6128%20x%204199><t=
el:888-354-6128%20x%204199> Web hosting and more "Ahead
>> of the Rest":
>> http://www.superbhosting.net<http://www.superbhosting.net/>
>>=20
>=20
>=20
>=20
>=20
>=20
>=20
> --
> Landon Stewart <LStewart@Superb.Net<mailto:LStewart@Superb.Net<mailto:LSte=
wart@Superb.Net>>>
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199<tel:888-354-6128%20x%204199>
> Web hosting and more "Ahead of the Rest": http://www.superbhosting.net<htt=
p://www.superbhosting.net/>
>=20
>=20
