Ever seen Google down? Me neither. Sure, I’ve seen the “Gmail not available” message, and “Service unavailable” once or twice, but it was only for a few seconds, really.
That said, last month for about 15 minutes, it appeared that Google was down. At first I did what’s called a Domain Name lookup in DNS which normally looks like this:
> host google.com google.com has address 209.85.171.100 google.com has address 72.14.205.100 google.com has address 74.125.45.100 google.com mail is handled by 10 smtp4.google.com. google.com mail is handled by 10 smtp1.google.com. google.com mail is handled by 10 smtp2.google.com. google.com mail is handled by 10 smtp3.google.com.
At the time, DNS returned:
> host google.com Host google.com not found: 3(NXDOMAIN)
And then, I did a whois, which returns a domain’s owner, etc. and saw this:
> whois google.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM GOOGLE.COM.ZZZZZ.DOWNLOAD.MOVIE.ONLINE.ZML2.COM GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM GOOGLE.COM.YAHOO.COM.MYSPACE.COM.YOUTUBE.COM.FACEBOOK.COM.THEYSUCK.DNSABOUT.COM GOOGLE.COM.WORDT.DOOR.VEEL.WHTERS.GEBRUIKT.SERVERTJE.NET GOOGLE.COM.VN GOOGLE.COM.UY GOOGLE.COM.UA GOOGLE.COM.TW GOOGLE.COM.TR GOOGLE.COM.SUCKS.FIND.CRACKZ.WITH.SEARCH.GULLI.COM GOOGLE.COM.SPROSIUYANDEKSA.RU GOOGLE.COM.SERVES.PR0N.FOR.ALLIYAH.NET GOOGLE.COM.SA GOOGLE.COM.PLZ.GIVE.A.PR8.TO.AUDIOTRACKER.NET GOOGLE.COM.MX GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET GOOGLE.COM.IS.HOSTED.ON.PROFITHOSTING.NET GOOGLE.COM.IS.APPROVED.BY.NUMEA.COM GOOGLE.COM.HAS.LESS.FREE.PORN.IN.ITS.SEARCH.ENGINE.THAN.SECZY.COM GOOGLE.COM.DO GOOGLE.COM.COLLEGELEARNER.COM GOOGLE.COM.CO GOOGLE.COM.BR GOOGLE.COM.BEYONDWHOIS.COM GOOGLE.COM.AU GOOGLE.COM.ACQUIRED.BY.CALITEC.NET GOOGLE.COM To single out one record, look it up with "xxx", where xxx is one of the of the records displayed above. If the records are the same, look them up with "=xxx" to receive a full display for each record. >>> Last update of whois database: Thu, 29 Dec 2008 10:04:56 EST <<<
At the time, seeing lines like GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM my initial reaction was shock.
What was all this garbage, in the Whois database?
Did someone hack the domain name registry?
Alas, if I had actually read the full response of the whois request, I would have seen “To single out one record …”
So, it returns all matches for GOOGLE.COM in the registry.
Some enterprising nerds decided they would, ahem, spam in the domain name registry for people (I suppose, like me) who do a whois on Google.com. If you do similar requests for YAHOO.COM you get similar responses:
YAHOO.COM.ZZZZZZ.MORE.INFO.AT.WWW.BEYONDWHOIS.COM YAHOO.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM YAHOO.COM.ZZZZZ.DOWNLOAD.MOVIE.ONLINE.ZML2.COM YAHOO.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM YAHOO.COM.VN YAHOO.COM.VIRGINCHASSIS.COM YAHOO.COM.TWIXTEARS.COM
Has the world come to this? Spamming DNS engineers?
The cost of this, for lack of a better name, Registry Spam, is an IP address, which on the whole, is not expensive. The main offenders that I can see within the two top search engines are Swinging Community, and Web Hack dot com. Swinging Community has 2500 members, and one member online at 10:30 AM on a business day.
So, I think it’s fair to say that either a lot of DNS engineers aren’t swingers, or this type of guerrilla marketing (if you can call it marketing) doesn’t work very well.
To set up one of these (if you want to add to the garbage pile), you would need to add a domain name server and IP address (one per IP address, thank you) to the Registry.
Just choose a name that begins with something famous, and you can leech onto their traffic. Note that it appears that Whois returns entries in reverse alphabetic order, hence the “ZZZZZZ” at the beginning of the list.
On how to add your own name server entry and IP address, you would need to contact your registrar. Typically you are given a page where you enter the name of your server, an IP address, and after submitting, it appears in the regsitry within a matter of minutes (or hours.)
2 replies on “At first I thought Google was being hacked”
[…] Posted by ruben thanks but whats up with this: It's WHOIS Spam. __________________ Submit Your Webmaster Related Web Sites to the NetBuilders Directory […]
some time they wont come with with other ip address when we queried :D