DNS poisoning at Google?

• Previous message (by thread): DNS poisoning at Google?
• Next message (by thread): DNS poisoning at Google?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'll take files that shouldn't have level 7 permissions for $400 alex.

On Wed, Jun 27, 2012 at 2:09 AM, Bryan Irvine <sparctacus at gmail.com> wrote:

> The fun part will be figuring out how it got there. :)
>
> Sent from my iPhone
>
> On Jun 27, 2012, at 12:06 AM, Matthew Black <Matthew.Black at csulb.edu>
> wrote:
>
> > We found the aberrant .htaccess file and have removed it. What a mess!
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> > From: Grant Ridder [mailto:shortdudey123 at gmail.com]
> > Sent: Tuesday, June 26, 2012 11:02 PM
> > To: Matthew Black; nanog at nanog.org
> > Cc: Jeremy Hanmer
> > Subject: Re: DNS poisoning at Google?
> >
> > It also redirects with facebook, youtube, and ebay but NOT amazon.
> >
> > -Grant
> >
> > On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black <Matthew.Black at csulb.edu
> <mailto:Matthew.Black at csulb.edu>> wrote:
> > Our web lead was able to run curl. Thanks.
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> > From: Grant Ridder [mailto:shortdudey123 at gmail.com<mailto:
> shortdudey123 at gmail.com>]
> > Sent: Tuesday, June 26, 2012 10:53 PM
> > To: Matthew Black
> > Cc: Landon Stewart; nanog at nanog.org<mailto:nanog at nanog.org>; Jeremy
> Hanmer
> >
> > Subject: Re: DNS poisoning at Google?
> >
> > Matt, what happens you get on a subnet that can access the webservers
> directly and bypass the load balancer.  Try curl then and see if its
> something w/ the webserver or load balancer.
> >
> > -Grant
> > On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black <Matthew.Black at csulb.edu
> <mailto:Matthew.Black at csulb.edu>> wrote:
> > Thanks again to everyone who helped. I didn't know what to enter with
> curl, because Outlook clobbered the line breaks in Jeremy's original
> message.
> >
> > Also, curl failed on our primary webserver because of firewall and load
> balancer magic settings. The Telnet method worked better!
> >
> > Our team is now scouring for that hidden redirect to couchtarts.
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> > From: Landon Stewart [mailto:lstewart at superb.net<mailto:
> lstewart at superb.net>]
> > Sent: Tuesday, June 26, 2012 10:37 PM
> > To: Matthew Black
> > Cc: Jeremy Hanmer; nanog at nanog.org<mailto:nanog at nanog.org>
> > Subject: Re: DNS poisoning at Google?
> > There is definitely a 301 redirect.
> >
> > $ curl -I --referer http://www.google.com/ http://www.csulb.edu/
> > HTTP/1.1<http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently
> > Date: Wed, 27 Jun 2012 05:36:31 GMT
> > Server: Apache/2.0.63
> > Location: http://www.couchtarts.com/media.php
> > Connection: close
> > Content-Type: text/html; charset=iso-8859-1
> > On 26 June 2012 22:05, Matthew Black <Matthew.Black at csulb.edu<mailto:
> Matthew.Black at csulb.edu><mailto:Matthew.Black at csulb.edu<mailto:
> Matthew.Black at csulb.edu>>> wrote:
> > Google Webtools reports a problem with our HOMEPAGE "/". That page is
> not redirecting anywhere.
> > They also report problems with some 48 other primary sites, none of
> which redirect to the offending couchtarts.
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> >
> >
> >
> > -----Original Message-----
> > From: Jeremy Hanmer [mailto:jeremy.hanmer at dreamhost.com<mailto:
> jeremy.hanmer at dreamhost.com><mailto:jeremy.hanmer at dreamhost.com<mailto:
> jeremy.hanmer at dreamhost.com>>]
> > Sent: Tuesday, June 26, 2012 9:58 PM
> > To: Matthew Black
> > Cc: nanog at nanog.org<mailto:nanog at nanog.org><mailto:nanog at nanog.org
> <mailto:nanog at nanog.org>>
> > Subject: Re: DNS poisoning at Google?
> > It's not DNS.  If you're sure there's no htaccess files in place, check
> your content (even that stored in a database) for anything that might be
> altering data based on referrer.  This simple test shows what I mean:
> > Airy:~ user$ curl -e 'http://google.com' csulb.edu<http://csulb.edu><
> http://csulb.edu> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> > <title>301 Moved Permanently</title>
> > </head><body>
> > <h1>Moved Permanently</h1>
> > <p>The document has moved <a href="http://www.couchtarts.com/media.php
> ">here</a>.</p>
> > </body></html>
> >
> > Running curl without the -e argument gives the proper site contents.
> > On Jun 26, 2012, at 9:24 PM, Matthew Black <Matthew.Black at csulb.edu
> <mailto:Matthew.Black at csulb.edu><mailto:Matthew.Black at csulb.edu<mailto:
> Matthew.Black at csulb.edu>>> wrote:
> >
> >> Running Apache on three Solaris webservers behind a load balancer. No
> MS Windows!
> >>
> >> Not sure how malicious software could get between our load balancer and
> Unix servers. Thanks for the tip!
> >>
> >> matthew black
> >> information technology services
> >> california state university, long beach
> >>
> >>
> >>
> >> From: Landon Stewart [mailto:lstewart at superb.net<mailto:
> lstewart at superb.net><mailto:lstewart at superb.net<mailto:lstewart at superb.net
> >>]
> >> Sent: Tuesday, June 26, 2012 9:07 PM
> >> To: Matthew Black
> >> Cc: nanog at nanog.org<mailto:nanog at nanog.org><mailto:nanog at nanog.org
> <mailto:nanog at nanog.org>>
> >> Subject: Re: DNS poisoning at Google?
> >>
> >> Is it possible that some malicious software is listening and injecting
> a redirect on the wire?  We've seen this before with a Windows machine
> being infected.
> >> On 26 June 2012 20:53, Matthew Black <Matthew.Black at csulb.edu<mailto:
> Matthew.Black at csulb.edu><mailto:Matthew.Black at csulb.edu<mailto:
> Matthew.Black at csulb.edu>><mailto:Matthew.Black at csulb.edu<mailto:
> Matthew.Black at csulb.edu><mailto:Matthew.Black at csulb.edu<mailto:
> Matthew.Black at csulb.edu>>>> wrote:
> >> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users
> to another compromised website couchtarts.com<http://couchtarts.com><
> http://couchtarts.com><http://couchtarts.com>.
> >>
> >> We have thoroughly examined our root .htaccess and httpd.conf files and
> are not redirecting to the problem target site. No recent changes either.
> >>
> >> We ran some NSLOOKUPs against various public DNS servers and
> intermittently get results that are NOT our servers.
> >>
> >> We believe the DNS servers used by Google's crawler have been poisoned.
> >>
> >> Can anyone shed some light on this?
> >>
> >> matthew black
> >> information technology services
> >> california state university, long beach
> >> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu><
> http://www.csulb.edu><http://www.csulb.edu>
> >>
> >>
> >>
> >> --
> >> Landon Stewart <LStewart at Superb.Net<mailto:LStewart at Superb.Net<mailto:
> LStewart at Superb.Net><mailto:LStewart at Superb.Net<mailto:LStewart at Superb.Net
> >>>>
> >> Sr. Administrator
> >> Systems Engineering
> >> Superb Internet Corp - 888-354-6128 x 4199<tel:888-354-6128%20x%204199><tel:888-354-6128%20x%204199>
> Web hosting and more "Ahead
> >> of the Rest":
> >> http://www.superbhosting.net<http://www.superbhosting.net/>
> >>
> >
> >
> >
> >
> >
> >
> > --
> > Landon Stewart <LStewart at Superb.Net<mailto:LStewart at Superb.Net<mailto:
> LStewart at Superb.Net>>>
> > Sr. Administrator
> > Systems Engineering
> > Superb Internet Corp - 888-354-6128 x 4199<tel:888-354-6128%20x%204199>
> > Web hosting and more "Ahead of the Rest": http://www.superbhosting.net<
> http://www.superbhosting.net/>
> >
> >
>
>

• Previous message (by thread): DNS poisoning at Google?
• Next message (by thread): DNS poisoning at Google?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]