DNS poisoning at Google?

• Previous message (by thread): DNS poisoning at Google?
• Next message (by thread): DNS poisoning at Google?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ahh, but how did it get there in the first place. Matthew, meet can of worms. I presume you have an opener.

--
ian
-----Original Message-----
From: Matthew Black
Sent:  27/06/2012, 08:07
To: Grant Ridder; nanog at nanog.org
Cc: Jeremy Hanmer
Subject: RE: DNS poisoning at Google?

We found the aberrant .htaccess file and have removed it. What a mess!

matthew black
information technology services
california state university, long beach

From: Grant Ridder [mailto:shortdudey123 at gmail.com]
Sent: Tuesday, June 26, 2012 11:02 PM
To: Matthew Black; nanog at nanog.org
Cc: Jeremy Hanmer
Subject: Re: DNS poisoning at Google?

It also redirects with facebook, youtube, and ebay but NOT amazon.

-Grant

On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black <Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu>> wrote:
Our web lead was able to run curl. Thanks.

matthew black
information technology services
california state university, long beach

From: Grant Ridder [mailto:shortdudey123 at gmail.com<mailto:shortdudey123 at gmail.com>]
Sent: Tuesday, June 26, 2012 10:53 PM
To: Matthew Black
Cc: Landon Stewart; nanog at nanog.org<mailto:nanog at nanog.org>; Jeremy Hanmer

Subject: Re: DNS poisoning at Google?

Matt, what happens you get on a subnet that can access the webservers directly and bypass the load balancer.  Try curl then and see if its something w/ the webserver or load balancer.

-Grant
On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black <Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu>> wrote:
Thanks again to everyone who helped. I didn't know what to enter with curl, because Outlook clobbered the line breaks in Jeremy's original message.

Also, curl failed on our primary webserver because of firewall and load balancer magic settings. The Telnet method worked better!

Our team is now scouring for that hidden redirect to couchtarts.

matthew black
information technology services
california state university, long beach

From: Landon Stewart [mailto:lstewart at superb.net<mailto:lstewart at superb.net>]
Sent: Tuesday, June 26, 2012 10:37 PM
To: Matthew Black
Cc: Jeremy Hanmer; nanog at nanog.org<mailto:nanog at nanog.org>
Subject: Re: DNS poisoning at Google?
There is definitely a 301 redirect.

$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1<http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:36:31 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Connection: close
Content-Type: text/html; charset=iso-8859-1
On 26 June 2012 22:05, Matthew Black <Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu><mailto:Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu>>> wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not redirecting anywhere.
They also report problems with some 48 other primary sites, none of which redirect to the offending couchtarts.

matthew black
information technology services
california state university, long beach




-----Original Message-----
From: Jeremy Hanmer [mailto:jeremy.hanmer at dreamhost.com<mailto:jeremy.hanmer at dreamhost.com><mailto:jeremy.hanmer at dreamhost.com<mailto:jeremy.hanmer at dreamhost.com>>]
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: nanog at nanog.org<mailto:nanog at nanog.org><mailto:nanog at nanog.org<mailto:nanog at nanog.org>>
Subject: Re: DNS poisoning at Google?
It's not DNS.  If you're sure there's no htaccess files in place, check your content (even that stored in a database) for anything that might be altering data based on referrer.  This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' csulb.edu<http://csulb.edu><http://csulb.edu> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p>
</body></html>

Running curl without the -e argument gives the proper site contents.
On Jun 26, 2012, at 9:24 PM, Matthew Black <Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu><mailto:Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu>>> wrote:

> Running Apache on three Solaris webservers behind a load balancer. No MS Windows!
>
> Not sure how malicious software could get between our load balancer and Unix servers. Thanks for the tip!
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart [mailto:lstewart at superb.net<mailto:lstewart at superb.net><mailto:lstewart at superb.net<mailto:lstewart at superb.net>>]
> Sent: Tuesday, June 26, 2012 9:07 PM
> To: Matthew Black
> Cc: nanog at nanog.org<mailto:nanog at nanog.org><mailto:nanog at nanog.org<mailto:nanog at nanog.org>>
> Subject: Re: DNS poisoning at Google?
>
> Is it possible that some malicious software is listening and injecting a redirect on the wire?  We've seen this before with a Windows machine being infected.
> On 26 June 2012 20:53, Matthew Black <Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu><mailto:Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu>><mailto:Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu><mailto:Matthew.Black at csulb.edu<mailto:Matthew.Black at csulb.edu>>>> wrote:
> Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com<http://couchtarts.com><http://couchtarts.com><http://couchtarts.com>.
>
> We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
>
> We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
>
> We believe the DNS servers used by Google's crawler have been poisoned.
>
> Can anyone shed some light on this?
>
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu><http://www.csulb.edu><http://www.csulb.edu>
>
>
>
> --
> Landon Stewart <LStewart at Superb.Net<mailto:LStewart at Superb.Net<mailto:LStewart at Superb.Net><mailto:LStewart at Superb.Net<mailto:LStewart at Superb.Net>>>>
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199<tel:888-354-6128%20x%204199><tel:888-354-6128%20x%204199> Web hosting and more "Ahead
> of the Rest":
> http://www.superbhosting.net<http://www.superbhosting.net/>
>






--
Landon Stewart <LStewart at Superb.Net<mailto:LStewart at Superb.Net<mailto:LStewart at Superb.Net>>>
Sr. Administrator
Systems Engineering
Superb Internet Corp - 888-354-6128 x 4199<tel:888-354-6128%20x%204199>
Web hosting and more "Ahead of the Rest": http://www.superbhosting.net<http://www.superbhosting.net/>

• Previous message (by thread): DNS poisoning at Google?
• Next message (by thread): DNS poisoning at Google?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]