Why are top university websites serving porn? It comes down to shoddy housekeeping.
Source: Ars Technica
Introduction
Universities are increasingly finding that hijacked subdomains are being used to host pornographic content. Because university domains carry strong reputations, these malicious sites often rank highly in Google search results.
Root cause
The root cause is simple: organizations create DNS records and never clean them up. There is no expiry date on a CNAME record. Nobody gets an alert when the target stops responding. And most university IT departments don’t maintain a comprehensive inventory of their subdomains and where they point.
— Shakhov
- Universities operate in a highly decentralized manner.
- Individual departments, labs, research groups, and student organizations can request subdomains independently.
- When people leave, there is no de‑commissioning process for the DNS records they created.
Detection
Finding hijacked subdomains is straightforward:
site:university.edu "xxx"
site:university.edu "porn"Running these queries for an affected institution returns scores of results. In some cases the subdomains no longer lead to porn sites, but many still do.
Recommendations
- Maintain an inventory – Compile a running list of all subdomains, their purpose, and corresponding CNAME records.
- Regular audits – Periodically search for “dangling” records (records that remain after the official subdomain has gone dark).
- Remove inactive CNAMEs – Delete any subdomain found to be inactive.
- Delist from search engines – Request removal of malicious URLs from Google’s index when they are taken down.
Current status
Only a handful of the affected universities have removed dangling CNAME records since the findings were published earlier this month. Several institutions have also failed to get the URLs delisted by Google, leaving the indexed pages visible in search results. Inquiries sent to UC Berkeley, Columbia, and Washington University did not receive responses before publication.