Typically if google were pulling your site sometimes from the wrong IP, their safe browsing page should indicate it being on another AS number in addition to the correct one 2152: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.csulb.edu For example, the couchtarts site they claim yours is redirecting to: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.couchtarts.com That site's DNS is screwed up and some requests are sent to a different IP at a different host, so Google picked up both AS numbers. Could one of your domain's subdomains be what is actually infected? You seem to have a bunch of them, maybe google is penalizing the whole domain over a subdomain? Not sure if they do that or not. If your sites are running off of an application like wordpress, etc., you may not get the same page that google gets and the application may have been hacked. Here's a wget command you can use to make requests to your site pretending to be google: wget -c \ --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \ --output-document=googlebot.html 'http://www.csulb.edu' nanog will probably line wrap that user agent line making it not correct so you'll have to put it back together correctly. It will save the output to a file named googlebot.html you can look at to see if anything weird ends up being served. David
-----Original Message----- From: Matthew Black [mailto:Matthew.Black@csulb.edu] Sent: Tuesday, June 26, 2012 11:53 PM To: nanog@nanog.org Subject: DNS poisoning at Google?
Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com.
We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
We believe the DNS servers used by Google's crawler have been poisoned.
Can anyone shed some light on this?
matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu>
Running Apache on three Solaris servers behind a load balancer. I forgot how to lookup our AS number to see if it matches couchtarts. matthew black information technology services california state university, long beach -----Original Message----- From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com] Sent: Tuesday, June 26, 2012 9:14 PM To: nanog@nanog.org Subject: RE: DNS poisoning at Google? Typically if google were pulling your site sometimes from the wrong IP, their safe browsing page should indicate it being on another AS number in addition to the correct one 2152: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.csulb.edu For example, the couchtarts site they claim yours is redirecting to: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.couchtarts.com That site's DNS is screwed up and some requests are sent to a different IP at a different host, so Google picked up both AS numbers. Could one of your domain's subdomains be what is actually infected? You seem to have a bunch of them, maybe google is penalizing the whole domain over a subdomain? Not sure if they do that or not. If your sites are running off of an application like wordpress, etc., you may not get the same page that google gets and the application may have been hacked. Here's a wget command you can use to make requests to your site pretending to be google: wget -c \ --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \ --output-document=googlebot.html 'http://www.csulb.edu' nanog will probably line wrap that user agent line making it not correct so you'll have to put it back together correctly. It will save the output to a file named googlebot.html you can look at to see if anything weird ends up being served. David
-----Original Message----- From: Matthew Black [mailto:Matthew.Black@csulb.edu] Sent: Tuesday, June 26, 2012 11:53 PM To: nanog@nanog.org Subject: DNS poisoning at Google?
Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com.
We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
We believe the DNS servers used by Google's crawler have been poisoned.
Can anyone shed some light on this?
matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu>
couchtarts.com seems to be hosted on a IP belonging to AS32244 (Liquid Web). On Wed, Jun 27, 2012 at 12:28 AM, Matthew Black <Matthew.Black@csulb.edu> wrote:
Running Apache on three Solaris servers behind a load balancer.
I forgot how to lookup our AS number to see if it matches couchtarts.
matthew black information technology services california state university, long beach
-----Original Message----- From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com] Sent: Tuesday, June 26, 2012 9:14 PM To: nanog@nanog.org Subject: RE: DNS poisoning at Google?
Typically if google were pulling your site sometimes from the wrong IP, their safe browsing page should indicate it being on another AS number in addition to the correct one 2152:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.csulb.edu
For example, the couchtarts site they claim yours is redirecting to:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.couchtarts.com
That site's DNS is screwed up and some requests are sent to a different IP at a different host, so Google picked up both AS numbers.
Could one of your domain's subdomains be what is actually infected? You seem to have a bunch of them, maybe google is penalizing the whole domain over a subdomain? Not sure if they do that or not.
If your sites are running off of an application like wordpress, etc., you may not get the same page that google gets and the application may have been hacked. Here's a wget command you can use to make requests to your site pretending to be google:
wget -c \ --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \ --output-document=googlebot.html 'http://www.csulb.edu'
nanog will probably line wrap that user agent line making it not correct so you'll have to put it back together correctly. It will save the output to a file named googlebot.html you can look at to see if anything weird ends up being served.
David
-----Original Message----- From: Matthew Black [mailto:Matthew.Black@csulb.edu] Sent: Tuesday, June 26, 2012 11:53 PM To: nanog@nanog.org Subject: DNS poisoning at Google?
Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com.
We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
We believe the DNS servers used by Google's crawler have been poisoned.
Can anyone shed some light on this?
matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu>
-- Sadiq S O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Have you tried using Google Webmaster tools? On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black <Matthew.Black@csulb.edu>wrote:
Running Apache on three Solaris servers behind a load balancer.
I forgot how to lookup our AS number to see if it matches couchtarts.
matthew black information technology services california state university, long beach
-----Original Message----- From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com] Sent: Tuesday, June 26, 2012 9:14 PM To: nanog@nanog.org Subject: RE: DNS poisoning at Google?
Typically if google were pulling your site sometimes from the wrong IP, their safe browsing page should indicate it being on another AS number in addition to the correct one 2152:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.csulb.edu
For example, the couchtarts site they claim yours is redirecting to:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.couchtarts.com
That site's DNS is screwed up and some requests are sent to a different IP at a different host, so Google picked up both AS numbers.
Could one of your domain's subdomains be what is actually infected? You seem to have a bunch of them, maybe google is penalizing the whole domain over a subdomain? Not sure if they do that or not.
If your sites are running off of an application like wordpress, etc., you may not get the same page that google gets and the application may have been hacked. Here's a wget command you can use to make requests to your site pretending to be google:
wget -c \ --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \ --output-document=googlebot.html 'http://www.csulb.edu'
nanog will probably line wrap that user agent line making it not correct so you'll have to put it back together correctly. It will save the output to a file named googlebot.html you can look at to see if anything weird ends up being served.
David
-----Original Message----- From: Matthew Black [mailto:Matthew.Black@csulb.edu] Sent: Tuesday, June 26, 2012 11:53 PM To: nanog@nanog.org Subject: DNS poisoning at Google?
Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com.
We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
We believe the DNS servers used by Google's crawler have been poisoned.
Can anyone shed some light on this?
matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu>
Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple requests and they keep insisting that our site issues a redirect. Unable to duplicate the problem here. matthew black information technology services california state university, long beach From: Ishmael Rufus [mailto:sakamura@gmail.com] Sent: Tuesday, June 26, 2012 9:34 PM To: Matthew Black Cc: David Hubbard; nanog@nanog.org Subject: Re: DNS poisoning at Google? Have you tried using Google Webmaster tools? On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black <Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>> wrote: Running Apache on three Solaris servers behind a load balancer. I forgot how to lookup our AS number to see if it matches couchtarts. matthew black information technology services california state university, long beach -----Original Message----- From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus.com>] Sent: Tuesday, June 26, 2012 9:14 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: RE: DNS poisoning at Google? Typically if google were pulling your site sometimes from the wrong IP, their safe browsing page should indicate it being on another AS number in addition to the correct one 2152: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.csulb.edu<http://www.csulb.edu> For example, the couchtarts site they claim yours is redirecting to: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.couchtarts.com<http://www.couchtarts.com> That site's DNS is screwed up and some requests are sent to a different IP at a different host, so Google picked up both AS numbers. Could one of your domain's subdomains be what is actually infected? You seem to have a bunch of them, maybe google is penalizing the whole domain over a subdomain? Not sure if they do that or not. If your sites are running off of an application like wordpress, etc., you may not get the same page that google gets and the application may have been hacked. Here's a wget command you can use to make requests to your site pretending to be google: wget -c \ --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \ --output-document=googlebot.html 'http://www.csulb.edu' nanog will probably line wrap that user agent line making it not correct so you'll have to put it back together correctly. It will save the output to a file named googlebot.html you can look at to see if anything weird ends up being served. David
-----Original Message----- From: Matthew Black [mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>] Sent: Tuesday, June 26, 2012 11:53 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: DNS poisoning at Google?
Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com<http://couchtarts.com>.
We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
We believe the DNS servers used by Google's crawler have been poisoned.
Can anyone shed some light on this?
matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:
Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple requests and they keep insisting that our site issues a redirect. Unable to duplicate the problem here.
… have you consulted the logs? If the redirect is there, it … 1) might not be from the home page, and 2) could be in … user content? awk '{if ($9 ~ /304/) { print $0 }}' access_log. … or some such. Granted, might be a storm of " " -> index.html redirects, but they should be grep -v 'able in short order. You might also look for the rDNS of the Google spider to see exactly where it is looking, and what it sees. Aloha, Michael. -- "Please have your Internet License and Usenet Registration handy..."
Q:have you consulted the logs? Seriously? Our servers have multiple log files due to multiple virtual hosts. Our primary domain log file on just one server has over 600,000 records x 3 servers. Probably over 100,000 304 redirects in our logs. couchtarts.com does not appear in our log files. matthew black information technology services california state university, long beach -----Original Message----- From: Michael J Wise [mailto:mjwise@kapu.net] Sent: Tuesday, June 26, 2012 9:56 PM To: Matthew Black Cc: nanog@nanog.org Subject: Re: DNS poisoning at Google? On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:
Yes, we've used the Google Webmaster Tools a lot today. Submitted multiple requests and they keep insisting that our site issues a redirect. Unable to duplicate the problem here.
... have you consulted the logs? If the redirect is there, it ... 1) might not be from the home page, and 2) could be in ... user content? awk '{if ($9 ~ /304/) { print $0 }}' access_log. ... or some such. Granted, might be a storm of " " -> index.html redirects, but they should be grep -v 'able in short order. You might also look for the rDNS of the Google spider to see exactly where it is looking, and what it sees. Aloha, Michael. -- "Please have your Internet License and Usenet Registration handy..."
It's not DNS. If you're sure there's no htaccess files in place, check your content (even that stored in a database) for anything that might be altering data based on referrer. This simple test shows what I mean: Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html> Running curl without the -e argument gives the proper site contents. On Jun 26, 2012, at 9:35 PM, Matthew Black <Matthew.Black@csulb.edu> wrote:
Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple requests and they keep insisting that our site issues a redirect. Unable to duplicate the problem here.
matthew black information technology services california state university, long beach
From: Ishmael Rufus [mailto:sakamura@gmail.com] Sent: Tuesday, June 26, 2012 9:34 PM To: Matthew Black Cc: David Hubbard; nanog@nanog.org Subject: Re: DNS poisoning at Google?
Have you tried using Google Webmaster tools? On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black <Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>> wrote: Running Apache on three Solaris servers behind a load balancer.
I forgot how to lookup our AS number to see if it matches couchtarts.
matthew black information technology services california state university, long beach
-----Original Message----- From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus.com>] Sent: Tuesday, June 26, 2012 9:14 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: RE: DNS poisoning at Google?
Typically if google were pulling your site sometimes from the wrong IP, their safe browsing page should indicate it being on another AS number in addition to the correct one 2152:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.csulb.edu<http://www.csulb.edu>
For example, the couchtarts site they claim yours is redirecting to:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http ://www.couchtarts.com<http://www.couchtarts.com>
That site's DNS is screwed up and some requests are sent to a different IP at a different host, so Google picked up both AS numbers.
Could one of your domain's subdomains be what is actually infected? You seem to have a bunch of them, maybe google is penalizing the whole domain over a subdomain? Not sure if they do that or not.
If your sites are running off of an application like wordpress, etc., you may not get the same page that google gets and the application may have been hacked. Here's a wget command you can use to make requests to your site pretending to be google:
wget -c \ --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \ --output-document=googlebot.html 'http://www.csulb.edu'
nanog will probably line wrap that user agent line making it not correct so you'll have to put it back together correctly. It will save the output to a file named googlebot.html you can look at to see if anything weird ends up being served.
David
-----Original Message----- From: Matthew Black [mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>] Sent: Tuesday, June 26, 2012 11:53 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: DNS poisoning at Google?
Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com<http://couchtarts.com>.
We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
We believe the DNS servers used by Google's crawler have been poisoned.
Can anyone shed some light on this?
matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
I'm not familiar with curl and don't understand what I type and what are results. Are you suggesting that when google refers to our website, we pick that up and redirect to couchtarts? matthew black information technology services california state university, long beach -----Original Message----- From: Jeremy Hanmer [mailto:jeremy@hq.newdream.net] Sent: Tuesday, June 26, 2012 9:59 PM To: Matthew Black Cc: nanog@nanog.org Subject: Re: DNS poisoning at Google? It's not DNS. If you're sure there's no htaccess files in place, check your content (even that stored in a database) for anything that might be altering data based on referrer. This simple test shows what I mean: Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html> Running curl without the -e argument gives the proper site contents. On Jun 26, 2012, at 9:35 PM, Matthew Black <Matthew.Black@csulb.edu> wrote:
Yes, we've used the Google Webmaster Tools a lot today. Submitted multiple requests and they keep insisting that our site issues a redirect. Unable to duplicate the problem here.
matthew black information technology services california state university, long beach
From: Ishmael Rufus [mailto:sakamura@gmail.com] Sent: Tuesday, June 26, 2012 9:34 PM To: Matthew Black Cc: David Hubbard; nanog@nanog.org Subject: Re: DNS poisoning at Google?
Have you tried using Google Webmaster tools? On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black <Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>> wrote: Running Apache on three Solaris servers behind a load balancer.
I forgot how to lookup our AS number to see if it matches couchtarts.
matthew black information technology services california state university, long beach
-----Original Message----- From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus .com>] Sent: Tuesday, June 26, 2012 9:14 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: RE: DNS poisoning at Google?
Typically if google were pulling your site sometimes from the wrong IP, their safe browsing page should indicate it being on another AS number in addition to the correct one 2152:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht tp ://www.csulb.edu<http://www.csulb.edu>
For example, the couchtarts site they claim yours is redirecting to:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht tp ://www.couchtarts.com<http://www.couchtarts.com>
That site's DNS is screwed up and some requests are sent to a different IP at a different host, so Google picked up both AS numbers.
Could one of your domain's subdomains be what is actually infected? You seem to have a bunch of them, maybe google is penalizing the whole domain over a subdomain? Not sure if they do that or not.
If your sites are running off of an application like wordpress, etc., you may not get the same page that google gets and the application may have been hacked. Here's a wget command you can use to make requests to your site pretending to be google:
wget -c \ --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \ --output-document=googlebot.html 'http://www.csulb.edu'
nanog will probably line wrap that user agent line making it not correct so you'll have to put it back together correctly. It will save the output to a file named googlebot.html you can look at to see if anything weird ends up being served.
David
-----Original Message----- From: Matthew Black [mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>] Sent: Tuesday, June 26, 2012 11:53 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: DNS poisoning at Google?
Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com<http://couchtarts.com>.
We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
We believe the DNS servers used by Google's crawler have been poisoned.
Can anyone shed some light on this?
matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
On 6/27/2012 1:13 AM, Matthew Black wrote:
I'm not familiar with curl and don't understand what I type and what are results. Are you suggesting that when google refers to our website, we pick that up and redirect to couchtarts?
matthew black information technology services california state university, long beach
Referer is an HTTP header that can be included in requests to your web server - http://en.wikipedia.org/wiki/HTTP_referer "man curl" -e, --referer <URL> (HTTP) Sends the "Referer Page" information to the HTTP server. This can also be set with the -H, --header flag of course. When used with -L, --location you can append ";auto" to the --referer URL to make curl automatically set the previous URL when it follows a Location: header. The ";auto" string can be used alone, even if you don't set an initial --referer. $ curl -v -e 'http://google.com' csulb.edu * About to connect() to csulb.edu port 80 (#0) * Trying 134.139.1.60... * connected * Connected to csulb.edu (134.139.1.60) port 80 (#0)
GET / HTTP/1.1 User-Agent: curl/7.24.0 (x86_64-pc-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0g zlib/1.2.5 Host: csulb.edu Accept: */* Referer: http://google.com
< HTTP/1.1 301 Moved Permanently < Date: Wed, 27 Jun 2012 05:11:39 GMT < Server: Apache/2.0.63 < Location: http://www.couchtarts.com/media.php < Content-Length: 243 < Connection: close < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html> * Closing connection #0 -DMM
-----Original Message----- From: Jeremy Hanmer [mailto:jeremy@hq.newdream.net] Sent: Tuesday, June 26, 2012 9:59 PM To: Matthew Black Cc: nanog@nanog.org Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check your content (even that stored in a database) for anything that might be altering data based on referrer. This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html>
Running curl without the -e argument gives the proper site contents.
On Jun 26, 2012, at 9:35 PM, Matthew Black <Matthew.Black@csulb.edu> wrote:
Yes, we've used the Google Webmaster Tools a lot today. Submitted multiple requests and they keep insisting that our site issues a redirect. Unable to duplicate the problem here.
matthew black information technology services california state university, long beach
From: Ishmael Rufus [mailto:sakamura@gmail.com] Sent: Tuesday, June 26, 2012 9:34 PM To: Matthew Black Cc: David Hubbard; nanog@nanog.org Subject: Re: DNS poisoning at Google?
Have you tried using Google Webmaster tools? On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black <Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>> wrote: Running Apache on three Solaris servers behind a load balancer.
I forgot how to lookup our AS number to see if it matches couchtarts.
matthew black information technology services california state university, long beach
-----Original Message----- From: David Hubbard [mailto:dhubbard@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus .com>] Sent: Tuesday, June 26, 2012 9:14 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: RE: DNS poisoning at Google?
Typically if google were pulling your site sometimes from the wrong IP, their safe browsing page should indicate it being on another AS number in addition to the correct one 2152:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht tp ://www.csulb.edu<http://www.csulb.edu>
For example, the couchtarts site they claim yours is redirecting to:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht tp ://www.couchtarts.com<http://www.couchtarts.com>
That site's DNS is screwed up and some requests are sent to a different IP at a different host, so Google picked up both AS numbers.
Could one of your domain's subdomains be what is actually infected? You seem to have a bunch of them, maybe google is penalizing the whole domain over a subdomain? Not sure if they do that or not.
If your sites are running off of an application like wordpress, etc., you may not get the same page that google gets and the application may have been hacked. Here's a wget command you can use to make requests to your site pretending to be google:
wget -c \ --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" \ --output-document=googlebot.html 'http://www.csulb.edu'
nanog will probably line wrap that user agent line making it not correct so you'll have to put it back together correctly. It will save the output to a file named googlebot.html you can look at to see if anything weird ends up being served.
David
-----Original Message----- From: Matthew Black [mailto:Matthew.Black@csulb.edu<mailto:Matthew.Black@csulb.edu>] Sent: Tuesday, June 26, 2012 11:53 PM To: nanog@nanog.org<mailto:nanog@nanog.org> Subject: DNS poisoning at Google?
Google Safe Browsing and Firefox have marked our website as containing malware. They claim our home page returns no results, but redirects users to another compromised website couchtarts.com<http://couchtarts.com>.
We have thoroughly examined our root .htaccess and httpd.conf files and are not redirecting to the problem target site. No recent changes either.
We ran some NSLOOKUPs against various public DNS servers and intermittently get results that are NOT our servers.
We believe the DNS servers used by Google's crawler have been poisoned.
Can anyone shed some light on this?
matthew black information technology services california state university, long beach www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
In article <ED78B1C68B84A14FA706D13A230D7B431954E95B@ITS-MAIL01.campus.ad.csulb.edu> you write:
I'm not familiar with curl and don't understand what I type and what are results. Are you suggesting that when google refers to our website, we pick that up and redirect to couchtarts?
curl is a command line www client that's worth knowing about. And I observe the same thing, using my own local DNS cache -- if I fetch the home page from csulb.edu or www.csulb.edu with Google as the referrer, it returns a page that redirects to couchtarts. Sorry, dude, you've been pwn3d. R's, John
Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html>
Yes, thanks. I'll have to read up on that. My e-mail was showing extra stuff at the end of the sample command lines, which confused me: Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> ...................................................############################################################### Sigh, I just Outlook not to strip extra line breaks. matthew black information technology services california state university, long beach -----Original Message----- From: John Levine [mailto:johnl@iecc.com] Sent: Tuesday, June 26, 2012 10:30 PM To: nanog@nanog.org Cc: Matthew Black Subject: Re: DNS poisoning at Google? In article <ED78B1C68B84A14FA706D13A230D7B431954E95B@ITS-MAIL01.campus.ad.csulb.edu> you write:
I'm not familiar with curl and don't understand what I type and what are results. Are you suggesting that when google refers to our website, we pick that up and redirect to couchtarts?
curl is a command line www client that's worth knowing about. And I observe the same thing, using my own local DNS cache -- if I fetch the home page from csulb.edu or www.csulb.edu with Google as the referrer, it returns a page that redirects to couchtarts. Sorry, dude, you've been pwn3d. R's, John
Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html>
participants (8)
-
David Hubbard
-
David Miller
-
Ishmael Rufus
-
Jeremy Hanmer
-
John Levine
-
Matthew Black
-
Michael J Wise
-
Sadiq Saif