Re: DNS poisoning at Google?

[Ishmael Rufus <sakamura () gmail com>]

Have you tried using Google Webmaster tools?

On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black <Matthew.Black () csulb edu>wrote:

> Running Apache on three Solaris servers behind a load balancer.
>
> I forgot how to lookup our AS number to see if it matches couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
> -----Original Message-----
> From: David Hubbard [mailto:dhubbard () dino hostasaurus com]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog () nanog org
> Subject: RE: DNS poisoning at Google?
>
> Typically if google were pulling your site sometimes from the wrong IP,
> their safe browsing page should indicate it being on another AS number in
> addition to the correct one 2152:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.csulb.edu
>
> For example, the couchtarts site they claim yours is redirecting to:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.couchtarts.com
>
> That site's DNS is screwed up and some requests are sent to a different IP
> at a different host, so Google picked up both AS numbers.
>
> Could one of your domain's subdomains be what is actually infected?  You
> seem to have a bunch of them, maybe google is penalizing the whole domain
> over a subdomain?  Not sure if they do that or not.
>
> If your sites are running off of an application like wordpress, etc., you
> may not get the same page that google gets and the application may have
> been hacked.
> Here's a wget command you can use to make requests to your site pretending
> to be google:
>
> wget -c \
> --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=googlebot.html 'http://www.csulb.edu&apos;
>
> nanog will probably line wrap that user agent line making it not correct
> so you'll have to put it back together correctly.  It will save the output
> to a file named googlebot.html you can look at to see if anything weird
> ends up being served.
>
> David
>
>
> > -----Original Message-----
> > From: Matthew Black [mailto:Matthew.Black () csulb edu]
> > Sent: Tuesday, June 26, 2012 11:53 PM
> > To: nanog () nanog org
> > Subject: DNS poisoning at Google?
> >
> > Google Safe Browsing and Firefox have marked our website as containing
> > malware. They claim our home page returns no results, but redirects
> > users to another compromised website couchtarts.com.
> >
> > We have thoroughly examined our root .htaccess and httpd.conf files
> > and are not redirecting to the problem target site. No recent changes
> > either.
> >
> > We ran some NSLOOKUPs against various public DNS servers and
> > intermittently get results that are NOT our servers.
> >
> > We believe the DNS servers used by Google's crawler have been
> > poisoned.
> >
> > Can anyone shed some light on this?
> >
> > matthew black
> > information technology services
> > california state university, long beach
> > www.csulb.edu<http://www.csulb.edu>