GOOGLE (http://www.google.com) - more direct to the porn today.

http://www.google.com/linux -

"uncaught request" ??

They just can't leave well enough alone, eh?

Er, what has changed about it? Looks the same as it always has to me.

-dave

There's a new full page of links below the search line. With Adult right at the top in the middle. I've never seen those before.

And, www.google.com/linux is giving me an error:
"uncaught request"

You might need to clear your cache, or something.

Or, maybe I've been infected with some virus or trojan or something.

Except that I get the same thing on IE on W2K and in Mozilla on Red Hat on 2 separate machines.

Here's the new google.

(oops, the file size was too big.)

Nop, it looks same as always..

Ummm..ya, right...I see it too...ummm

Google

Web Images Groups Directory News


• Advanced Search
• Preferences
• Language Tools


Advertise with Us - Business Solutions - Services & Tools - Jobs, Press, & Help

Where was this again? This is exactly what is on Google...maybe it was a very subtle hack earlyer?


Hey, wait second...check your DNS, is it going through your ISP? I've recently heard of a very wicked hack that re-routes the DNS from an ISP and they capture passwords and stuff from people in this 'psuedo DNS' box. Might want to be careful for a few days...

Looks fine to me. I dont know what your talking about.

Ok, let me try this:

U-m-m...starting to see '"porn" on Google now are we?:p


That must be a local page. In fact, I have never seen that format before, here.

Originally posted by bs_2003
Ok, let me try this: Dude...your ISP is so hacked...call them


verify it with a traceroute, I'll bet it doesn't hit your ISP...or makes an extra stop somewhere

do a nslookup on www.google.com

[bsl1@localhost bsl1]$ nslookup www.google.com
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
Server: 192.168.0.1
Address: 192.168.0.1#53

Non-authoritative answer:
Name: www.google.com
Address: 216.40.230.13


How does that compare to what you get?

thanks...

I'm on a Win2k at work ;)

C:\>nslookup www.google.com
Server: addw2k11.myworkdomain.com
Address: 10.1.1.25

Name: www.google.com
Address: 216.239.57.99



Nope, close but not
This is the offical IP from www.netcraft.com too

OS Server Last changed IP address Netblock Owner
Linux GWS/2.1 26-Jun-2003 216.239.51.99 Google Inc.
unknown GWS/2.1 26-Jun-2003 216.239.37.99 Google Inc.
unknown GWS/2.0 25-Jun-2003 216.239.57.99 Google Inc.
Linux GWS/2.0 22-Jun-2003 216.239.57.99 Google Inc.
unknown GWS/2.0 21-Jun-2003 216.239.39.99 Google Inc.
Linux GWS/2.0 16-Jun-2003 216.239.57.99 Google Inc.
Linux GWS/2.0 15-Jun-2003 216.239.57.99 Google Inc.
unknown GWS/2.0 14-Jun-2003 216.239.39.99 Google Inc.
Linux GWS/2.0 10-Jun-2003 216.239.39.99 Google Inc.
unknown GWS/2.0 9-Jun-2003 216.239.41.104 Google Inc.

Either Your ISPs DNS cache has gone to shye, or someone maybe did a little hackeroo on them. give them a call if you want.

Non-authoritative answer:
Name: www.google.com
Address: 216.239.37.99

EDIT:

Surf to 216.239.37.99 and the normal google page should show up.



*** ns1.adelphiacom.com can't find 216.40.230.13: Non-existent domain

From Address: 216.40.230.13



OrgName: Everyones Internet, Inc.
OrgID: EVRY
Address: 2600 Southwest Frwy., Suite 500
City: Houston
StateProv: TX
PostalCode: 77098
Country: US

NetRange: 216.40.192.0 - 216.40.255.255
CIDR: 216.40.192.0/18
NetName: EVRY-BLK-6
NetHandle: NET-216-40-192-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1.NET
NameServer: NS2.EV1.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2000-10-05
Updated: 2001-10-05

TechHandle: RW172-ARIN
TechName: Williams, Randy
TechPhone: +1-713-400-5400
TechEmail: admin@ev1.net

Ya, using that IP you got shows that page of links...but no Google logo...your ISP has some issues, or they are trying to tell you something ;)

Yea I would have to think its a hack, is it was just a messed up cache the google logo wouldn't show up above the rest of that crap.. This kinda happened to 2600.com a few weeks ago. it got redirected to 2600.gov.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\xxxxx> nslookup www.google.com
Server: XXXX.WINPROXY
Address: 192.168.0.2

Name: www.google.com
Address: 216.239.41.99


C:\Documents and Settings\xxxxx>

Originally posted by Akito
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\xxxxx> nslookup www.google.com
Server: XXXX.WINPROXY
Address: 192.168.0.2

Name: www.google.com
Address: 216.239.41.99


C:\Documents and Settings\xxxxx> http://www.stupid-boy.com/smilies/contrib/edoom/Thinkingof_.gif
First post? On a Linux board from a WinXP machine?

Oh well...Welcome aboard Akito!! :D

Well, I called my ISP and they weren't seeing it either. Apparently it was local to my system. I went and cleared all my cache's and deleted all cookies on both machines, rebooted, and the 'crap' is gone.
:confused:
Don't know where it came from.
But, I'm glad it wasn't a real, permanent change at google.


No, really, I wasn't surfin' the porn... :D

Really... :p

Originally posted by bs_2003
No, really, I wasn't surfin' the porn... :D

Really... :p Uh-huh...just looking at "cats" which you like so much, right? ;) :p

Still odd that it got 'stuck' in all your computers cache if that was the case...you have a proxy?

No proxy.

I have my PC's connected to the internet through Smoothwall on a separate machine. I surf from either machine. I must've hit the same place from both or not....

I just checked my win98 machine and slackware machine, they both have the extra crap at google also. Weird how that has propagated through my system like that.

Also, just checked my win95 machine, which hasn't even been turned on or used to access the internet in weeks. The google extra garbage is there also.

I'm gonna clear cache and cookies on all machines. Turn 'em all off, including the smoothwall machine, count to 10, turn 'em all back on and see what happens...

:confused: :confused: :confused:

Originally posted by bs_2003

:confused:
Don't know where it came from.
But, I'm glad it wasn't a real, permanent change at google.


No, really, I wasn't surfin' the porn... :D

Really... :p

I see you're showing off your custom search page again. ;)

Server: 192.168.0.1

Whats odd is that the smoothwall box was handing out 216.40.230.13 as the ip to google. Now he clears cache and cookies in his browser and it goes away? It even did it on a machine that hasnt been turned on in a long time???

Ya got me.

Well, everything seems to be back to normal now.

I hate those little excursions through the TwighLight Zone. :rolleyes:

Sorry to get everybody side tracked.
:cool:

Do you have caching turned on with Smoothwall? I do and that would explain why all the machines were affected.

I was chatting with a friend on Yahoo and he mentioned that also, but I don't have the Smoothwall documentation that would specify the cacheing on Smoothwall, so I don't know if cacheing is turned on or not.

Where would I look to find that out?

Thanks...

This might be a quick way to find out. When you did a nslookup on google it came up as:

Server: 192.168.0.1
Address: 192.168.0.1#53

showing that you got that information from 192.168.0.1. If you had a cacheing dns server, when you go to a site once it will remember the ip to that site and cache it so you dont need to ask you ISP, so maybe if you did a nslookup on a site you havn't been to before, the DNS servers may come up as your ISPs DNS server??

I'm not sure on this though because I never set up a cacheing DNS server, so try a nslookup on:


http://www.grandmas-house-inn.com/

As I hope you have never been to this site before. and see if "Server:" shows up as somehting else besides 192.168.0.1 ..

I might be way off on this. Just a guess.

If you don't know where it is, most likely it's not turned on :)

http://smoothwall.org/docs/

But it's under "services" and (with 2.0 beta at least) it's the first one.

Well, apparently I am still screwed. I just reformatted one of my PC's and re-installed Win95 from scratch. (It's because I have an old Umax SCSI scanner that just barely works with win95 and nothing else.) Anyway, then I opened up IE, went to google, bang, there's the adult stuff again. So, I went to my W2K machine and Red Hat machine, and there it was back there also.

So, apparently it is something going on in Smoothwall. I looked in the intrusion detection system page of the smoothwall administration page and found several suspicious entries, such as:
-------------------------------------------------------
Date: 06/27 13:59:09 Name: WEB-CGI wrap access
Priority: 2 Type: Attempted Information Leak
IP info: 208.24.200.214:2474 -> 161.170.254.28:80
References: 1 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0149][Xref%20=>%20http://www.whitehats.com/info/IDS234][Xref%20=>%20http://www.securityfocus.com/bid/373][Xref%20=>%20http://cgi.nessus.org/plugins/dump.php3?id=10317
-------------------------------------------------------
Date: 06/27 15:44:22 Name: SCAN SOCKS Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 217.21.119.3:1105 -> 208.24.200.214:1080
References: 1 - <http://help.undernet.org/proxyscan/>
-------------------------------------------------------
Date: 06/27 16:11:06 Name: WEB-PHP content-disposition
Priority: 1 Type: Web Application Attack
IP info: 208.24.200.214:32892 -> 63.236.73.208:80
References: 1 - <http://www.securityfocus.com/bid/4183>
-------------------------------------------------------
Date: 06/27 20:18:45 Name: WEB-MISC musicat empower access
Priority: 2 Type: access to a potentially vulnerable web application
IP info: 208.24.200.174:1502 -> 63.123.77.198:80
References: none found
-------------------------------------------------------
Date: 06/27 22:17:46 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 202.108.249.21:1034 -> 208.24.200.174:1434
References: 1 - http://vil.nai.com/vil/content/v_99992.htm][Xref%20=>%20http://www.securityfocus.com/bid/5311][Xref%20=>%20http://www.securityfocus.com/bid/5310
-------------------------------------------------------
Hmmmm... Dunno what all that is. Maybe that last one has something to do with the google problem. Or, not.

Mahdi, can you tell me how to clear the smoothwall cache, if it exists? I'd like to try that first; otherwise, I'm gonna reformat and reinstall and change up my IP address scheme. I guess I better start learning about my firewall/iptables while I'm at it!!

Thanks...

Edit: Oh man, that last one has to do with some slammer.worm....

:confused:

Smoothwall uses Squid for the web proxy, you will have to did through thier docs to find out, the closest I've had to come to doing that is when my /var/logs filled up and I could not start anything (cleared out the intrusion files from the command line)

Thanks for the reply. Actually, I don't have web proxy enabled, so I assume that the 50MB cache size isn't actually being used.

I just got around to downloading the docs from smoothwall. Too bad they aren't udated for mallard. Anyway, I'll peruse through those and see what I can come up with and then will probably go ahead and reformat the smoothwall machine and reinstall (dang, after I jam a cd-rom drive back into that machine!) and hopefully get a better setup with some new knowledge from those docs.

And, those intrusion detection entries in my post above were hopefully blocked by the intrusion detection part of smoothwall. That slammer.worm thing apparently affects that windows w32...dll file, of which I have two copies on my w2k machine, but norton antivirus 2003 says I have no infections.

Anyway, so I don't think those necessarily have anything to do with the google problem.

Man, it's gonna be a busy weekend. Now where's my giant magnet... :eek:

I think everyone else is on a close, but wrong track. It's not a web proxy, it's a DNS proxy that's misleading you. The IP of your DNS server was most likely the "Green" interface on Smoothwall (please confirm that).

Now I know that Smoothwall will proxy DNS requests. I highly suspect that Smoothwall will cache responses, so you don't have to query out to your ISP every time (can do a local lookup). I am also assuming that you use Smoothwall as a DHCP server and all your local machines get their IP (and DNS server!!!) settings from Smoothwall (or that you manually pointed all your machines to use Smoothwall for DNS, but it doesn't sound like you did that).

Now via some method, either a) the DNS information cached at your ISP was temporarily poisoned (by a cracker, or disgruntled employee) and during that time your Smoothwall just so happened to forward a request to your ISP, got the (bad) response back, and cached it OR b) someone performed a man-in-the-middle attack on your DNS request from Smoothwall to your ISP and responde with this bogus site, which was cached by Smoothwall OR c) someone cracked your Smoothwall and redirected the DNS settings.

I recommend that you immediately check the DNS settings under the DHCP configuration on your Smoothwall. I believe (might be mistaken) that rebooting Smoothwall will cause named to flush it's cache. As long as you're pointing to your ISP, you're ISP doesn't have persistent problems, and no one is performing a man-in-the-middle, you'll be back to normal.

You can test to see if you're getting "good" information from your ISP by doingdig @your-isps-nameserver www.google.com any
That will (hopefully) directly query your ISP, but again if someone is hijacking the IP of your ISPs DNS server along the way, it won't work. Ask your ISP what the MAC address is of the NAT'd address that their DNS server will respond from, then run a network sniffer (Ethereal, tcpdump, etc) on your EXTERNAL interface and see if the source MAC address of packets coming back from your ISPs DNS server is what they told you. If it is not, likely someone is hijacking their IP in between you and your ISP. Of course, it's always possible to do MAC address cloning in which case it's out of my league.

Thanks for the recent reply. I'll be back to read it and consider it as soon as I get Smoothwall fully re-installed. For some reason fixes2 for the mallard beta won't install, although I did install fixes1 and reboot. And, of course, I'm having all sorts of trouble with this reinstall of win95 on my old amd machine.

back tomorrow, hopefully.

thanks...

Well... maybe it wasn't a random thing at google after all!

http://www.cnn.com/2003/TECH/internet/06/27/google.gadgets.ap/index.html

This must've had something to do with what I experienced.

Originally posted by bs_2003
Well... maybe it wasn't a random thing at google after all!

http://www.cnn.com/2003/TECH/internet/06/27/google.gadgets.ap/index.html

This must've had something to do with what I experienced.

I use that and can confirm....it's not connected with your problem.

bs_2003, if you understood how DNS and The 'net works, you would realize it's a DNS issue. Please test what I posted above. Someone, somehow, is hijacking your DNS queries.

I rather strongly believe the issue is centralized in Smoothwall. Did you install any third-party add-ons or plug-ins for Smoothwall? The answer is in there some where.

Originally posted by bs_2003
Well... maybe it wasn't a random thing at google after all!

http://www.cnn.com/2003/TECH/internet/06/27/google.gadgets.ap/index.html

This must've had something to do with what I experienced. Nope, it doesn't. That article is talking about Google's search toolbar (the one you can install into your browser), not their site. :)