Invoking the referrer on your site recommends a redirect to couchtarts. I agree with Jeremy and Jeff check your htaccess files, conf files and anything that calls RewriteCond or Rewrite On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black <Matthew.Black@csulb.edu>wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not redirecting anywhere. They also report problems with some 48 other primary sites, none of which redirect to the offending couchtarts.
matthew black information technology services california state university, long beach
-----Original Message----- From: Jeremy Hanmer [mailto:jeremy.hanmer@dreamhost.com] Sent: Tuesday, June 26, 2012 9:58 PM To: Matthew Black Cc: nanog@nanog.org Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check your content (even that stored in a database) for anything that might be altering data based on referrer. This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php ">here</a>.</p> </body></html>
Running curl without the -e argument gives the proper site contents.
On Jun 26, 2012, at 9:24 PM, Matthew Black <Matthew.Black@csulb.edu> wrote:
Running Apache on three Solaris webservers behind a load balancer. No MS Windows!
Not sure how malicious software could get between our load balancer and Unix servers. Thanks for the tip!
matthew black information technology services california state university, long beach
From: Landon Stewart [mailto:lstewart@superb.net] Sent: Tuesday, June 26, 2012 9:07 PM To: Matthew Black Cc: nanog@nanog.org Subject: Re: DNS poisoning at Google?
Is it possible that some malicious software is listening and injecting a redirect on the wire? We've seen this before with a Windows machine being infected. On 26 June 2012 20:53, Matthew Black <Matthew.Black@csulb.edu<mailto: Matthew.Black@csulb.edu>> wrote: Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com<http://couchtarts.com>.
We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
We believe the DNS servers used by Google's crawler have been poisoned.
Can anyone shed some light on this?
matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
-- Landon Stewart <LStewart@Superb.Net<mailto:LStewart@Superb.Net>> Sr. Administrator Systems Engineering Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead of the Rest": http://www.superbhosting.net<http://www.superbhosting.net/>