Have you tried using Google Webmaster tools? On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black <matthew.bl...@csulb.edu>wrote:
> Running Apache on three Solaris servers behind a load balancer. > > I forgot how to lookup our AS number to see if it matches couchtarts. > > matthew black > information technology services > california state university, long beach > > > -----Original Message----- > From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] > Sent: Tuesday, June 26, 2012 9:14 PM > To: nanog@nanog.org > Subject: RE: DNS poisoning at Google? > > Typically if google were pulling your site sometimes from the wrong IP, > their safe browsing page should indicate it being on another AS number in > addition to the correct one 2152: > > http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http > ://www.csulb.edu > > For example, the couchtarts site they claim yours is redirecting to: > > http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http > ://www.couchtarts.com > > That site's DNS is screwed up and some requests are sent to a different IP > at a different host, so Google picked up both AS numbers. > > Could one of your domain's subdomains be what is actually infected? You > seem to have a bunch of them, maybe google is penalizing the whole domain > over a subdomain? Not sure if they do that or not. > > If your sites are running off of an application like wordpress, etc., you > may not get the same page that google gets and the application may have > been hacked. > Here's a wget command you can use to make requests to your site pretending > to be google: > > wget -c \ > --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; > +http://www.google.com/bot.html)" \ > --output-document=googlebot.html 'http://www.csulb.edu' > > nanog will probably line wrap that user agent line making it not correct > so you'll have to put it back together correctly. It will save the output > to a file named googlebot.html you can look at to see if anything weird > ends up being served. > > David > > > > -----Original Message----- > > From: Matthew Black [mailto:matthew.bl...@csulb.edu] > > Sent: Tuesday, June 26, 2012 11:53 PM > > To: nanog@nanog.org > > Subject: DNS poisoning at Google? > > > > Google Safe Browsing and Firefox have marked our website as containing > > malware. They claim our home page returns no results, but redirects > > users to another compromised website couchtarts.com. > > > > We have thoroughly examined our root .htaccess and httpd.conf files > > and are not redirecting to the problem target site. No recent changes > > either. > > > > We ran some NSLOOKUPs against various public DNS servers and > > intermittently get results that are NOT our servers. > > > > We believe the DNS servers used by Google's crawler have been > > poisoned. > > > > Can anyone shed some light on this? > > > > matthew black > > information technology services > > california state university, long beach > > www.csulb.edu<http://www.csulb.edu> > > > > > > > > > > >
