nanog mailing list archives
Re: DNS poisoning at Google?
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Wed, 27 Jun 2012 01:32:12 -0400
On Wed, Jun 27, 2012 at 1:26 AM, Matthew Black <Matthew.Black () csulb edu> wrote:
Thank you for that helpful instruction! curl doesn't work because our webserver is firewalled against outbound traffic. The telnet to port 80 showed me the problem. I also didn't understand when output was placed at the end of the command line, instead of starting on the next line...that looked like something I was supposed to type.
sorry... often when I end up testing something like this I cut/paste from a buffer, so: telnet bloop 80 <paste> <return/return/return> read-output... In the case of your server: GET / HTTP/1.0 Host: www.csulb.edu Referer: http://www.google.com/ <empty-line!!> all gets pasted once the 'telnet www.csulb.edu 80' connects... the output is the stuff that includes the 'redirect to couchtarts'. -chris
matthew black information technology services california state university, long beac -----Original Message----- From: christopher.morrow () gmail com [mailto:christopher.morrow () gmail com] On Behalf Of Christopher Morrow Sent: Tuesday, June 26, 2012 10:17 PM To: Ishmael Rufus Cc: Matthew Black; nanog () nanog org; Jeremy Hanmer Subject: Re: DNS poisoning at Google? for example, from the commandline with telnet: morrowc@teensy:~$ telnet www.csulb.edu 80 Trying 134.139.1.60... Connected to gaggle.its.csulb.edu. Escape character is '^]'. GET / HTTP/1.0 Host: www.csulb.edu Referer: http://www.google.com/ HTTP/1.1 301 Moved Permanently Date: Wed, 27 Jun 2012 05:04:04 GMT Server: Apache/2.0.63 Location: http://www.couchtarts.com/media.php Content-Length: 243 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html> Connection closed by foreign host. oops :( fail. On Wed, Jun 27, 2012 at 1:13 AM, Ishmael Rufus <sakamura () gmail com> wrote:Invoking the referrer on your site recommends a redirect to couchtarts. I agree with Jeremy and Jeff check your htaccess files, conf files and anything that calls RewriteCond or Rewrite On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black <Matthew.Black () csulb edu>wrote:Google Webtools reports a problem with our HOMEPAGE "/". That page is not redirecting anywhere. They also report problems with some 48 other primary sites, none of which redirect to the offending couchtarts. matthew black information technology services california state university, long beach -----Original Message----- From: Jeremy Hanmer [mailto:jeremy.hanmer () dreamhost com] Sent: Tuesday, June 26, 2012 9:58 PM To: Matthew Black Cc: nanog () nanog org Subject: Re: DNS poisoning at Google? It's not DNS. If you're sure there's no htaccess files in place, check your content (even that stored in a database) for anything that might be altering data based on referrer. This simple test shows what I mean: Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php ">here</a>.</p> </body></html> Running curl without the -e argument gives the proper site contents. On Jun 26, 2012, at 9:24 PM, Matthew Black <Matthew.Black () csulb edu> wrote:Running Apache on three Solaris webservers behind a load balancer. No MSWindows!Not sure how malicious software could get between our load balancer andUnix servers. Thanks for the tip!matthew black information technology services california state university, long beach From: Landon Stewart [mailto:lstewart () superb net] Sent: Tuesday, June 26, 2012 9:07 PM To: Matthew Black Cc: nanog () nanog org Subject: Re: DNS poisoning at Google? Is it possible that some malicious software is listening and injecting aredirect on the wire? We've seen this before with a Windows machine being infected.On 26 June 2012 20:53, Matthew Black <Matthew.Black () csulb edu<mailto:Matthew.Black () csulb edu>> wrote:Google Safe Browsing and Firefox have marked our website as containingmalware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com<http://couchtarts.com>.We have thoroughly examined our root .htaccess and httpd.conf files andare not redirecting to the problem target site. No recent changes either.We ran some NSLOOKUPs against various public DNS servers andintermittently get results that are NOT our servers.We believe the DNS servers used by Google's crawler have been poisoned. Can anyone shed some light on this? matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu> -- Landon Stewart <LStewart () Superb Net<mailto:LStewart () Superb Net>> Sr. Administrator Systems Engineering Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead of the Rest": http://www.superbhosting.net<http://www.superbhosting.net/>
Current thread:
- Re: DNS poisoning at Google?, (continued)
- Re: DNS poisoning at Google? Michael J Wise (Jun 26)
- Re: DNS poisoning at Google? Landon Stewart (Jun 26)
- Re: DNS poisoning at Google? Ishmael Rufus (Jun 26)
- Re: DNS poisoning at Google? Sadiq Saif (Jun 26)
- RE: DNS poisoning at Google? Matthew Black (Jun 26)
- Message not available
- RE: DNS poisoning at Google? Matthew Black (Jun 26)
- Re: DNS poisoning at Google? Jeff Fisher (Jun 26)
- Re: DNS poisoning at Google? Ishmael Rufus (Jun 26)
- Re: DNS poisoning at Google? Christopher Morrow (Jun 26)
- RE: DNS poisoning at Google? Matthew Black (Jun 26)
- Re: DNS poisoning at Google? Christopher Morrow (Jun 26)
- Re: DNS poisoning at Google? Ishmael Rufus (Jun 26)
- Re: DNS poisoning at Google? Landon Stewart (Jun 26)
- RE: DNS poisoning at Google? Matthew Black (Jun 26)
- Re: DNS poisoning at Google? Grant Ridder (Jun 26)
- Message not available
- Re: DNS poisoning at Google? Grant Ridder (Jun 26)
- RE: DNS poisoning at Google? Matthew Black (Jun 27)
- Re: DNS poisoning at Google? Bryan Irvine (Jun 27)
- Re: DNS poisoning at Google? Ishmael Rufus (Jun 27)
- RE: DNS poisoning at Google? Ian McDonald (Jun 27)
- Re: DNS poisoning at Google? Michael J Wise (Jun 27)
- Re: DNS poisoning at Google? TR Shaw (Jun 27)