nanog mailing list archives

Re: DNS poisoning at Google?

From: Chris Griffin <cgriffin () ufl edu>
Date: Wed, 27 Jun 2012 01:20:46 -0400

Also shows a redirect if you use bing.com or yahoo.com (and probably others) but not, for instance, blah.com...

Tnx
Chris

On Jun 27, 2012, at 1:13 AM, David Hubbard wrote:

Well as Jeremy pointed out, your site is issuing
redirects, he gave you the command to show it:

curl -e 'http://google.com&apos; csulb.edu

So if you're sure your server(s) haven't been hacked,
your application appears to have been hacked.  It only
issues the redirect if the visitor comes in from a
google search.

-----Original Message-----
From: Matthew Black [mailto:Matthew.Black () csulb edu] 
Sent: Wednesday, June 27, 2012 1:03 AM
To: Michael J Wise
Cc: nanog () nanog org
Subject: RE: DNS poisoning at Google?

Q:have you consulted the logs?

Seriously? Our servers have multiple log files due to 
multiple virtual hosts. Our primary domain log file on just 
one server has over 600,000 records x 3 servers.

Probably over 100,000 304 redirects in our logs.

couchtarts.com does not appear in our log files.

matthew black
information technology services
california state university, long beach

-----Original Message-----
From: Michael J Wise [mailto:mjwise () kapu net] 
Sent: Tuesday, June 26, 2012 9:56 PM
To: Matthew Black
Cc: nanog () nanog org
Subject: Re: DNS poisoning at Google?

On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:

Yes, we've used the Google Webmaster Tools a lot today.

Submitted multiple requests and they keep insisting that our 
site issues a redirect. Unable to duplicate the problem here.

... have you consulted the logs?
If the redirect is there, it ... 1) might not be from the 
home page, and 2) could be in ... user content?

awk '{if ($9 ~ /304/) { print $0 }}' access_log.
... or some such.
Granted, might be a storm of " " -> index.html redirects, but 
they should be grep -v 'able in short order.
You might also look for the rDNS of the Google spider to see 
exactly where it is looking, and what it sees.

Aloha,
Michael.
-- 
"Please have your Internet License             
and Usenet Registration handy..."



---
Chris Griffin                           cgriffin () ufl edu
Sr. Network Engineer - CCNP             Phone: (352) 273-1051
CNS - Network Services                  Fax:   (352) 392-9440
University of Florida/FLR               Gainesville, FL 32611

Current thread:

Re: DNS poisoning at Google?, (continued)
- - - Re: DNS poisoning at Google? Ishmael Rufus (Jun 26)
    - RE: DNS poisoning at Google? Matthew Black (Jun 26)
    - Re: DNS poisoning at Google? Michael J Wise (Jun 26)
    - RE: DNS poisoning at Google? Matthew Black (Jun 26)
    - Re: DNS poisoning at Google? Jeremy Hanmer (Jun 26)
    - RE: DNS poisoning at Google? Matthew Black (Jun 26)
    - Re: DNS poisoning at Google? David Miller (Jun 26)
    - Re: DNS poisoning at Google? John Levine (Jun 26)
    - RE: DNS poisoning at Google? Matthew Black (Jun 26)
- RE: DNS poisoning at Google? David Hubbard (Jun 26)
  - Re: DNS poisoning at Google? Chris Griffin (Jun 26)