DNS poisoning at Google?

• Previous message (by thread): DNS poisoning at Google?
• Next message (by thread): DNS poisoning at Google?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Typically if google were pulling your site sometimes from the
wrong IP, their safe browsing page should indicate it being
on another AS number in addition to the correct one 2152:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.csulb.edu

For example, the couchtarts site they claim yours is 
redirecting to:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.couchtarts.com

That site's DNS is screwed up and some requests are sent
to a different IP at a different host, so Google picked
up both AS numbers.

Could one of your domain's subdomains be what is
actually infected?  You seem to have a bunch of
them, maybe google is penalizing the whole domain over
a subdomain?  Not sure if they do that or not.

If your sites are running off of an application like
wordpress, etc., you may not get the same page that
google gets and the application may have been hacked.
Here's a wget command you can use to make requests to
your site pretending to be google:

wget -c \
--user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)" \
--output-document=googlebot.html 'http://www.csulb.edu'

nanog will probably line wrap that user agent line making
it not correct so you'll have to put it back together
correctly.  It will save the output to a file named
googlebot.html you can look at to see if anything weird
ends up being served.

David


> -----Original Message-----
> From: Matthew Black [mailto:Matthew.Black at csulb.edu] 
> Sent: Tuesday, June 26, 2012 11:53 PM
> To: nanog at nanog.org
> Subject: DNS poisoning at Google?
> 
> Google Safe Browsing and Firefox have marked our website as 
> containing malware. They claim our home page returns no 
> results, but redirects users to another compromised website 
> couchtarts.com.
> 
> We have thoroughly examined our root .htaccess and httpd.conf 
> files and are not redirecting to the problem target site. No 
> recent changes either.
> 
> We ran some NSLOOKUPs against various public DNS servers and 
> intermittently get results that are NOT our servers.
> 
> We believe the DNS servers used by Google's crawler have been 
> poisoned.
> 
> Can anyone shed some light on this?
> 
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu<http://www.csulb.edu>
> 
> 
> 

• Previous message (by thread): DNS poisoning at Google?
• Next message (by thread): DNS poisoning at Google?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]