Google redirected me to Lithuania?

I was surfing the Internets at work today, searching for info on solar panels. I put in a phone number for a Google search and got four results. Clicking on the first one, I expected to see the contact page of Westinghouse Solar. Instead I got redirected to the following URL:

http://39008.peachtreepropainters.info/url?sa=X&source=web&cd=1&ved=0IrIEbA43&url=http://www.westinghousesolar.com/index.php/contact-us&ei=2ZEufKTL5qizrI2OzlM08Z21oQ==&usg=z-CCthkp93j-2o-7wI1SJZ&sig2=yIZHjyHJ17arcqFVojVX4B

Now, I know Google usually tracks which search results I click on, and hides this tracking using Javascript. That’s been the case for years and I’m used to it. However, I’m stumped as to why the above URL says 39008.peachtreepropainters.info instead of www.google.com. The IP address for 39008.peachetreepropainters.info routes to Lithuania:

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘77.79.10.0 – 77.79.11.255’

inetnum: 77.79.10.0 – 77.79.11.255
netname: LT-ALEJA
org: ORG-UIA2-RIPE
descr: Webhosting, collocation services
country: LT
admin-c: RL3425-RIPE
tech-c: MS16708-RIPE
status: ASSIGNED PA
mnt-by: SPLIUS-MNT
source: RIPE # Filtered

organisation: ORG-UIA2-RIPE
org-name: UAB Duomenu Centras
org-type: OTHER
address: Tilzes 74
address: LT-78140 Siauliai
address: Lithuania
mnt-ref: SPLIUS-MNT
mnt-by: SPLIUS-MNT
source: RIPE # Filtered

Of course it would be for a colocation server, as that’s where all the 7337 haXORz launch their attacks from.

As for PeachTreeProPainters.info, it’s registered to PeachTree Pro Painters in Atlanta, GA:

Domain ID:D31837584-LRMS
Domain Name:PEACHTREEPROPAINTERS.INFO
Created On:10-Mar-2010 19:30:05 UTC
Last Updated On:14-Mar-2012 16:21:35 UTC
Expiration Date:10-Mar-2013 19:30:05 UTC
Sponsoring Registrar:GoDaddy.com LLC (R171-LRMS)
Status:CLIENT DELETE PROHIBITED
Status:CLIENT RENEW PROHIBITED
Status:CLIENT TRANSFER PROHIBITED
Status:CLIENT UPDATE PROHIBITED
Status:AUTORENEWPERIOD
Registrant ID:CR43604105
Registrant Name:Brad Olvey
Registrant Organization:Peachtree Pro Painters
Registrant Street1:311 Peachtree Hills Ave 12G
Registrant Street2:
Registrant Street3:
Registrant City:Atlanta
Registrant State/Province:Georgia
Registrant Postal Code:30305
Registrant Country:US
Registrant Phone:+1.7704800773
Registrant Phone Ext.:
Registrant FAX:+1.4043934662
Registrant FAX Ext.:

I’m trying to think of a reason why a painting company in Atlanta would have a server in Lithuania and I’m coming up short. What is most likely happening is that hackers have somehow gotten between me and Google and somehow redirected my requests.

The hostname 39008.peachtreepropainters.info is a wildcard DNS entry, where no matter what name/number is supplied in front of .peachtreepropainters.info, DNS returns the same IP of 77.79.11.96. I’m assuming the 39008 number might be used to identify me in the webserver logs of the 77.79.11.96 host.

Something’s going on here and I’m not sure what. I thought my local nameserver might be “poisoned” but external nameservers have the host as well. It could be my copy of Privoxy has been compromised, or somehow a hacker has manipulated the Javascript Google returned to me. I’m running Firefox 11.0, the latest version, so I can’t think that the browser itself is bad.

Time to check the Snort logs here at work to see if any successful attacks have been launched at my browser.