DNS poisoning at Google?

Matthew_Black1 · June 27, 2012, 3:53am

Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com.

We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.

We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.

We believe the DNS servers used by Google's crawler have been poisoned.

Can anyone shed some light on this?

matthew black
information technology services
california state university, long beach
www.csulb.edu<http://www.csulb.edu>

Sadiq_Saif2 · June 27, 2012, 4:04am

Accidentally sent that to Matthew only,

mind sharing the domain name?

Landon_Stewart1 · June 27, 2012, 4:07am

Is it possible that some malicious software is listening and injecting a
redirect on the wire? We've seen this before with a Windows machine being
infected.

Ishmael_Rufus · June 27, 2012, 4:07am

I'm glad I'm not the only one that miss this one:

http://www.csulb.edu

It is in his signature and email address as well

Ishmael_Rufus · June 27, 2012, 4:12am

I am also getting the same issue when accessing his website.

Michael_J_Wise · June 27, 2012, 4:14am

I'm glad I'm not the only one that miss this one:

http://www.csulb.edu

It is in his signature and email address as well

The queries do seem to be taking a number of seconds, though, as opposed to being nearly instant when I reference the DNS servers of record directly.
The results I get at home (via SpeakEasy) all appear correct, though.

Sadiq_Saif2 · June 27, 2012, 4:15am

DNS seems to check out from here. Tested against Google DNS, OpenDNS
and Linode's DNS servers.

According to Google:
"Malicious software is hosted on 1 domain(s), including couchtarts.com/."

Normally, I would say this happens due to malicious ads loaded but
this does not seem to be a site that will contain ads.

Kevin_Day · June 27, 2012, 4:21am

Not sure if it's related, but yesterday one of my clients (a top 500 alexa site) suddenly had most search results (when googling for things like the site's name) suddenly change to some other shady looking domain that's just sending 302 redirects to the real site. All the same search results are there, but they're now sending everyone to the wrong domain that's just redirecting to the correct place. No idea how Google thought this is correct and I'm totally failing at getting anyone's attention at Google to look into this.

This coincided with this message from @google on twitter yesterday:

Heads up: we're pushing a new Panda data refresh that noticeably affects only ~1% of queries worldwide.
http://twitter.com/google/status/217366321879453696

But i'm not sure that's related either.

-- Kevin

Matthew_Black1 · June 27, 2012, 4:24am

Running Apache on three Solaris webservers behind a load balancer. No MS Windows!

Not sure how malicious software could get between our load balancer and Unix servers. Thanks for the tip!

matthew black
information technology services
california state university, long beach

Matthew_Black1 · June 27, 2012, 5:05am

Google Webtools reports a problem with our HOMEPAGE "/". That page is not redirecting anywhere.
They also report problems with some 48 other primary sites, none of which redirect to the offending couchtarts.

matthew black
information technology services
california state university, long beach

Jeff_Fisher · June 27, 2012, 5:12am

Except it is redirecting as shown by Jeremy:

[guppy@mrlaptop ~]$ curl -e 'http://google.com' csulb.edu
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p>
</body></html>

That looks like a redirect to me.

Jeff

Ishmael_Rufus · June 27, 2012, 5:13am

Invoking the referrer on your site recommends a redirect to couchtarts. I
agree with Jeremy and Jeff check your htaccess files, conf files and
anything that calls RewriteCond or Rewrite

Christopher_Morrow · June 27, 2012, 5:16am

for example, from the commandline with telnet:

morrowc@teensy:~$ telnet www.csulb.edu 80
Trying 134.139.1.60...
Connected to gaggle.its.csulb.edu.
Escape character is '^]'.
GET / HTTP/1.0
Host: www.csulb.edu
Referer: http://www.google.com/

HTTP/1.1 301 Moved Permanently
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Content-Length: 243
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a
href="http://www.couchtarts.com/media.php">here</a>.</p>
</body></html>
Connection closed by foreign host.

oops fail.

Matthew_Black1 · June 27, 2012, 5:26am

Thank you for that helpful instruction!

curl doesn't work because our webserver is firewalled against outbound traffic. The telnet to port 80 showed me the problem. I also didn't understand when output was placed at the end of the command line, instead of starting on the next line...that looked like something I was supposed to type.

matthew black
information technology services
california state university, long beac

Christopher_Morrow · June 27, 2012, 5:32am

Thank you for that helpful instruction!

curl doesn't work because our webserver is firewalled against outbound traffic. The telnet to port 80 showed me the problem. I also didn't understand when output was placed at the end of the command line, instead of starting on the next line...that looked like something I was supposed to type.

sorry... often when I end up testing something like this I cut/paste
from a buffer, so:

telnet bloop 80
<paste>
<return/return/return>

read-output... In the case of your server:

GET / HTTP/1.0
Host: www.csulb.edu
Referer: http://www.google.com/
<empty-line!!>

all gets pasted once the 'telnet www.csulb.edu 80' connects...

the output is the stuff that includes the 'redirect to couchtarts'.

-chris

Landon_Stewart1 · June 27, 2012, 5:36am

There is definitely a 301 redirect.

$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1 301 Moved Permanently
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Connection: close
Content-Type: text/html; charset=iso-8859-1

Matthew_Black1 · June 27, 2012, 5:40am

Thanks again to everyone who helped. I didn't know what to enter with curl, because Outlook clobbered the line breaks in Jeremy's original message.

Also, curl failed on our primary webserver because of firewall and load balancer magic settings. The Telnet method worked better!

Our team is now scouring for that hidden redirect to couchtarts.

matthew black
information technology services
california state university, long beach

Grant_Ridder · June 27, 2012, 5:52am

Matt, what happens you get on a subnet that can access the webservers
directly and bypass the load balancer. Try curl then and see if its
something w/ the webserver or load balancer.

-Grant

J_Hellenthal · June 27, 2012, 5:53am

There is definitely a 301 redirect.

$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:36:31 GMT
Server: Apache/2.0.63
Location: Loading...
Connection: close
Content-Type: text/html; charset=iso-8859-1

And if you visit Loading... using the correct
broser you end up back at http://google.com ...

Grant_Ridder · June 27, 2012, 6:02am

It also redirects with facebook, youtube, and ebay but NOT amazon.

-Grant