DNS poisoning at Google?

Chris Griffin cgriffin at ufl.edu
Wed Jun 27 05:20:46 UTC 2012


Also shows a redirect if you use bing.com or yahoo.com (and probably others) but not, for instance, blah.com...

Tnx
Chris

On Jun 27, 2012, at 1:13 AM, David Hubbard wrote:

> Well as Jeremy pointed out, your site is issuing
> redirects, he gave you the command to show it:
> 
> curl -e 'http://google.com' csulb.edu
> 
> So if you're sure your server(s) haven't been hacked,
> your application appears to have been hacked.  It only
> issues the redirect if the visitor comes in from a
> google search.
> 
> 
> 
> 
>> -----Original Message-----
>> From: Matthew Black [mailto:Matthew.Black at csulb.edu] 
>> Sent: Wednesday, June 27, 2012 1:03 AM
>> To: Michael J Wise
>> Cc: nanog at nanog.org
>> Subject: RE: DNS poisoning at Google?
>> 
>> Q:have you consulted the logs?
>> 
>> Seriously? Our servers have multiple log files due to 
>> multiple virtual hosts. Our primary domain log file on just 
>> one server has over 600,000 records x 3 servers.
>> 
>> Probably over 100,000 304 redirects in our logs.
>> 
>> couchtarts.com does not appear in our log files.
>> 
>> 
>> matthew black
>> information technology services
>> california state university, long beach
>> 
>> -----Original Message-----
>> From: Michael J Wise [mailto:mjwise at kapu.net] 
>> Sent: Tuesday, June 26, 2012 9:56 PM
>> To: Matthew Black
>> Cc: nanog at nanog.org
>> Subject: Re: DNS poisoning at Google?
>> 
>> 
>> On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:
>> 
>>> Yes, we've used the Google Webmaster Tools a lot today. 
>> Submitted multiple requests and they keep insisting that our 
>> site issues a redirect. Unable to duplicate the problem here.
>> 
>> ... have you consulted the logs?
>> If the redirect is there, it ... 1) might not be from the 
>> home page, and 2) could be in ... user content?
>> 
>> awk '{if ($9 ~ /304/) { print $0 }}' access_log.
>> ... or some such.
>> Granted, might be a storm of " " -> index.html redirects, but 
>> they should be grep -v 'able in short order.
>> You might also look for the rDNS of the Google spider to see 
>> exactly where it is looking, and what it sees.
>> 
>> Aloha,
>> Michael.
>> -- 
>> "Please have your Internet License             
>> and Usenet Registration handy..."
>> 
>> 
>> 
>> 
>> 
>> 
> 


---
Chris Griffin                           cgriffin at ufl.edu
Sr. Network Engineer - CCNP             Phone: (352) 273-1051
CNS - Network Services                  Fax:   (352) 392-9440
University of Florida/FLR               Gainesville, FL 32611







More information about the NANOG mailing list