nanog mailing list archives

Re: DNS poisoning at Google?

From: Jeremy Hanmer <jeremy () hq newdream net>
Date: Tue, 26 Jun 2012 21:59:00 -0700

It's not DNS.  If you're sure there's no htaccess files in place, check your content (even that stored in a database) 
for anything that might be altering data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com&apos; csulb.edu
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.couchtarts.com/media.php";>here</a>.</p>
</body></html>

Running curl without the -e argument gives the proper site contents.  

On Jun 26, 2012, at 9:35 PM, Matthew Black <Matthew.Black () csulb edu> wrote:

Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple requests and they keep insisting that our 
site issues a redirect. Unable to duplicate the problem here.

matthew black
information technology services
california state university, long beach

From: Ishmael Rufus [mailto:sakamura () gmail com]
Sent: Tuesday, June 26, 2012 9:34 PM
To: Matthew Black
Cc: David Hubbard; nanog () nanog org
Subject: Re: DNS poisoning at Google?

Have you tried using Google Webmaster tools?
On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black <Matthew.Black () csulb edu<mailto:Matthew.Black () csulb edu>> wrote:
Running Apache on three Solaris servers behind a load balancer.

I forgot how to lookup our AS number to see if it matches couchtarts.

matthew black
information technology services
california state university, long beach

-----Original Message-----
From: David Hubbard [mailto:dhubbard () dino hostasaurus com<mailto:dhubbard () dino hostasaurus com>]
Sent: Tuesday, June 26, 2012 9:14 PM
To: nanog () nanog org<mailto:nanog () nanog org>
Subject: RE: DNS poisoning at Google?

Typically if google were pulling your site sometimes from the wrong IP, their safe browsing page should indicate it 
being on another AS number in addition to the correct one 2152:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.csulb.edu<http://www.csulb.edu>

For example, the couchtarts site they claim yours is redirecting to:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.couchtarts.com<http://www.couchtarts.com>

That site's DNS is screwed up and some requests are sent to a different IP at a different host, so Google picked up 
both AS numbers.

Could one of your domain's subdomains be what is actually infected?  You seem to have a bunch of them, maybe google 
is penalizing the whole domain over a subdomain?  Not sure if they do that or not.

If your sites are running off of an application like wordpress, etc., you may not get the same page that google gets 
and the application may have been hacked.
Here's a wget command you can use to make requests to your site pretending to be google:

wget -c \
--user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)" \
--output-document=googlebot.html 'http://www.csulb.edu&apos;

nanog will probably line wrap that user agent line making it not correct so you'll have to put it back together 
correctly.  It will save the output to a file named googlebot.html you can look at to see if anything weird ends up 
being served.

David

-----Original Message-----
From: Matthew Black [mailto:Matthew.Black () csulb edu<mailto:Matthew.Black () csulb edu>]
Sent: Tuesday, June 26, 2012 11:53 PM
To: nanog () nanog org<mailto:nanog () nanog org>
Subject: DNS poisoning at Google?

Google Safe Browsing and Firefox have marked our website as containing
malware. They claim our home page returns no results, but redirects
users to another compromised website couchtarts.com<http://couchtarts.com>.

We have thoroughly examined our root .htaccess and httpd.conf files
and are not redirecting to the problem target site. No recent changes
either.

We ran some NSLOOKUPs against various public DNS servers and
intermittently get results that are NOT our servers.

We believe the DNS servers used by Google's crawler have been
poisoned.

Can anyone shed some light on this?

matthew black
information technology services
california state university, long beach
www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>

Current thread:

Re: No DNS poisoning at Google (in case of trouble, blame the DNS), (continued)
- - - Re: No DNS poisoning at Google (in case of trouble, blame the DNS) Arturo Servin (Jun 28)
    - Re: No DNS poisoning at Google (in case of trouble, blame the DNS) Tei (Jun 28)
    - Re: No DNS poisoning at Google (in case of trouble, blame the DNS) Ken A (Jun 28)
- RE: DNS poisoning at Google? David Hubbard (Jun 26)
  - RE: DNS poisoning at Google? Matthew Black (Jun 26)
    - Re: DNS poisoning at Google? Sadiq Saif (Jun 26)
    - Re: DNS poisoning at Google? Ishmael Rufus (Jun 26)
    - RE: DNS poisoning at Google? Matthew Black (Jun 26)
    - Re: DNS poisoning at Google? Michael J Wise (Jun 26)
    - RE: DNS poisoning at Google? Matthew Black (Jun 26)
    - Re: DNS poisoning at Google? Jeremy Hanmer (Jun 26)
    - RE: DNS poisoning at Google? Matthew Black (Jun 26)
    - Re: DNS poisoning at Google? David Miller (Jun 26)
    - Re: DNS poisoning at Google? John Levine (Jun 26)
    - RE: DNS poisoning at Google? Matthew Black (Jun 26)
- RE: DNS poisoning at Google? David Hubbard (Jun 26)
  - Re: DNS poisoning at Google? Chris Griffin (Jun 26)