Re: DNS poisoning at Google?

2012-06-26 Thread Jeremy Hanmer 
It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com' csulb.edu
!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
htmlhead
title301 Moved Permanently/title
/headbody
h1Moved Permanently/h1
pThe document has moved a 
href=http://www.couchtarts.com/media.php;here/a./p
/body/html

Running curl without the -e argument gives the proper site contents.  

On Jun 26, 2012, at 9:35 PM, Matthew Black matthew.bl...@csulb.edu wrote:

 Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple 
 requests and they keep insisting that our site issues a redirect. Unable to 
 duplicate the problem here.
 
 matthew black
 information technology services
 california state university, long beach
 
 From: Ishmael Rufus [mailto:sakam...@gmail.com]
 Sent: Tuesday, June 26, 2012 9:34 PM
 To: Matthew Black
 Cc: David Hubbard; nanog@nanog.org
 Subject: Re: DNS poisoning at Google?
 
 Have you tried using Google Webmaster tools?
 On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black 
 matthew.bl...@csulb.edumailto:matthew.bl...@csulb.edu wrote:
 Running Apache on three Solaris servers behind a load balancer.
 
 I forgot how to lookup our AS number to see if it matches couchtarts.
 
 matthew black
 information technology services
 california state university, long beach
 
 -Original Message-
 From: David Hubbard 
 [mailto:dhubb...@dino.hostasaurus.commailto:dhubb...@dino.hostasaurus.com]
 Sent: Tuesday, June 26, 2012 9:14 PM
 To: nanog@nanog.orgmailto:nanog@nanog.org
 Subject: RE: DNS poisoning at Google?
 
 Typically if google were pulling your site sometimes from the wrong IP, their 
 safe browsing page should indicate it being on another AS number in addition 
 to the correct one 2152:
 
 http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
 ://www.csulb.eduhttp://www.csulb.edu
 
 For example, the couchtarts site they claim yours is redirecting to:
 
 http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
 ://www.couchtarts.comhttp://www.couchtarts.com
 
 That site's DNS is screwed up and some requests are sent to a different IP at 
 a different host, so Google picked up both AS numbers.
 
 Could one of your domain's subdomains be what is actually infected?  You seem 
 to have a bunch of them, maybe google is penalizing the whole domain over a 
 subdomain?  Not sure if they do that or not.
 
 If your sites are running off of an application like wordpress, etc., you may 
 not get the same page that google gets and the application may have been 
 hacked.
 Here's a wget command you can use to make requests to your site pretending to 
 be google:
 
 wget -c \
 --user-agent=Mozilla/5.0 (compatible; Googlebot/2.1;
 +http://www.google.com/bot.html) \
 --output-document=googlebot.html 'http://www.csulb.edu'
 
 nanog will probably line wrap that user agent line making it not correct so 
 you'll have to put it back together correctly.  It will save the output to a 
 file named googlebot.html you can look at to see if anything weird ends up 
 being served.
 
 David
 
 
 -Original Message-
 From: Matthew Black 
 [mailto:matthew.bl...@csulb.edumailto:matthew.bl...@csulb.edu]
 Sent: Tuesday, June 26, 2012 11:53 PM
 To: nanog@nanog.orgmailto:nanog@nanog.org
 Subject: DNS poisoning at Google?
 
 Google Safe Browsing and Firefox have marked our website as containing
 malware. They claim our home page returns no results, but redirects
 users to another compromised website couchtarts.comhttp://couchtarts.com.
 
 We have thoroughly examined our root .htaccess and httpd.conf files
 and are not redirecting to the problem target site. No recent changes
 either.
 
 We ran some NSLOOKUPs against various public DNS servers and
 intermittently get results that are NOT our servers.
 
 We believe the DNS servers used by Google's crawler have been
 poisoned.
 
 Can anyone shed some light on this?
 
 matthew black
 information technology services
 california state university, long beach
 www.csulb.eduhttp://www.csulb.eduhttp://www.csulb.edu

Re: The actual value, from a security standpoint, of using a proxy domain registrar?

2009-07-15 Thread Jeremy Hanmer 

Not everybody charges for the service.  Shop around.

On Jul 15, 2009, at 3:37 PM, Mike Lyon wrote:


I still think it's a huge waste of money.


On Wed, Jul 15, 2009 at 3:34 PM, Ray Sanders 
ray.sand...@villagevoicemedia.com wrote:


And that falls right into some of the scare tactic sales pitches the
domain registrars use.

they can look up your domain and find your home address!

Heck, even a p.o box could leave someone open to a stalker, if said
stalker is determined enough.

so yes, I'll concede that point to a certain extent.


On Wed, 2009-07-15 at 17:18 -0500, David E. Smith wrote:

Mike Lyon wrote:
I am curious what others in the industry think on this topic.  
When one
registers a domain they can put in their real information or they  
can

use a

proxy, like Go-Daddy's Domains By Proxy.


If you're using it for your business, the value is pretty slim. You
probably want your business to be reachable by the public.

Individuals, especially those using their domains to publish  
anything

controversial, could benefit somewhat from the increased privacy.

David Smith
MVN.net



--
Prediction is very difficult, especially about the future. Niels  
Bohr

--
Ray Sanders
Linux Administrator
Village Voice Media
Office: 602-744-6547
Cell: 602-300-4344

Anybody from Godaddy abuse?

2009-02-25 Thread Jeremy Hanmer 
Can somebody from Godaddy contact me off-list about a malicious domain  
errantly listing our network as its DNS servers?  Email to  
ab...@godaddy has gone unanswered and we're getting hit pretty hard.

Re: Advice/resources for setting up TACACS server

2008-11-07 Thread Jeremy Hanmer 

We use tac_plus with good results:

http://www.shrubbery.net/tac_plus/

On Nov 7, 2008, at 2:56 PM, Leslie wrote:

Do you have any suggestions for a free tacacs server which will run  
on linux ? I have so far been unable to find any and the tacacs+  
source code hasn't been updated since around 2000


Leslie

On Nov 7, 2008, at 2:43 PM, Eddy Martinez wrote:


I second the TACACS+

Thats what you want. Same effort for the most part, to implement.

Eddy

On Nov 7, 2008, at 2:39 PM, Steven King wrote:


I disagree with the RADIUS suggestion. TACACS+ is a much more secure
protocol. It encrypts the packet contents and has a more secure
handshake procedure.

Leslie wrote:
The best answer actually does seem to be to use freeradius  
instead of
tacacs, so I will probably go with that (though if anyone has any  
good

tips on freeradius, please, let me know)

Leslie

On Nov 7, 2008, at 1:30 PM, Leslie wrote:


Hi --

We are currently trying to set up a TACACS server for  
authentication
to our network gear and have it run on suse linux hosts.  Does  
anyone

have any advice/good webpages or guides regarding this?

Thank you very much in advance!

Leslie





--
Steve King

Network Engineer - Liquid Web, Inc.
Cisco Certified Network Associate
CompTIA Linux+ Certified Professional
CompTIA A+ Certified Professional

Re: [policy] When Tech Meets Policy...

2007-08-13 Thread Jeremy Hanmer 



On Aug 13, 2007, at 11:40 AM, Steve Atkins wrote:



A question to the registrars here: What fraction of legitimate
domain registrations are reversed because the customer
didn't know how to spell, and noticed that within the five
day dictionary time?


From what I've seen here, most customers notice within minutes or  
(in the worst cases, hours), not days.  And these are the same  
customers that might go 6-12 months without noticing that their  
domain has expired.