So it all started with a handful of users complaining that they were unable to access Vesta web page at www.vrc.org.uk, saying they were seeing some dodgy spam site. A few of these complaints arrived. I couldn’t replicate the situation at work, at home or through a couple of other places I was attempting it.
Obviously my first thought was some poisoned DNS somewhere along the line. This seemed to be confirmed when someone noticed that if you visited vrc.org.uk instead, this worked. (Which it should do – they both point at the same address.) Maybe a dodgy DNS server had been repointed to a dodgy page for some users.
I contacted my hosting company‘s support who were helpful, pointing out their the domain’s nameservers were still fine and that the DNS they were serving up was accurate. Maybe it was spyware, they suggested, get them to run ipconfig and maybe we could trace their DNS servers.
So there was a few days of head-scratching.
Maybe try changing the name-server to point elsewhere to flush out the net’s DNS system and then re-point it and test other domains from the hosting company, suggested people. Nothing illuminating was coming from people who sent me ipconfig output. No-one had corrupted etc/hosts files either so it wasn’t a localised Trojan hijacking their browser.
Then a penny dropped.
- Go to Google (or Yahoo or, apparently, Ask.com).
- Search for the phrase Scullers Head. You should see quite near the top the result for either http://www.vrc.org.uk/sh/ or http://www.vrc.org.uk/scullers_head/.
- If you click on that link you might well find a page that is not what you expect. It’ll be a black background with the search term in a bordered box and various dodgy links. But the URL in the address bar looks accurate.
- Hit the back button, if you’re on Google, click on the Similar Pages link
- Follow the top link (which is current to the main Vesta page)
- The same black background and dodgy links, but with "related:www.vrc.org.uk/sh" in the bordered box at the top.
So now what? If you type in the address (so long as you’ve flushed the cache) you’ll get to the correct site. If you type in the address without the www. at the front, you’ll definitely get to the site …. but if you come via $SEARCH_ENGINE you’ll get spoofed.
Now, if you look at the various page details there are many references to the IP address 18.104.22.168. And if you search for references to this, there’s one other page complaining of similar behaviour.
So, I’m at a loss. Anyone got any ideas?
Update: This problem has now been resolved.
[tags]DNS, Google, spoof, security[/tags]