It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com' csulb.edu
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a 
href="http://www.couchtarts.com/media.php";>here</a>.</p>
</body></html>

Running curl without the -e argument gives the proper site contents.  

On Jun 26, 2012, at 9:35 PM, Matthew Black <matthew.bl...@csulb.edu> wrote:

> Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple 
> requests and they keep insisting that our site issues a redirect. Unable to 
> duplicate the problem here.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> From: Ishmael Rufus [mailto:sakam...@gmail.com]
> Sent: Tuesday, June 26, 2012 9:34 PM
> To: Matthew Black
> Cc: David Hubbard; nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
> 
> Have you tried using Google Webmaster tools?
> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black 
> <matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>> wrote:
> Running Apache on three Solaris servers behind a load balancer.
> 
> I forgot how to lookup our AS number to see if it matches couchtarts.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> -----Original Message-----
> From: David Hubbard 
> [mailto:dhubb...@dino.hostasaurus.com<mailto:dhubb...@dino.hostasaurus.com>]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: RE: DNS poisoning at Google?
> 
> Typically if google were pulling your site sometimes from the wrong IP, their 
> safe browsing page should indicate it being on another AS number in addition 
> to the correct one 2152:
> 
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.csulb.edu<http://www.csulb.edu>
> 
> For example, the couchtarts site they claim yours is redirecting to:
> 
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.couchtarts.com<http://www.couchtarts.com>
> 
> That site's DNS is screwed up and some requests are sent to a different IP at 
> a different host, so Google picked up both AS numbers.
> 
> Could one of your domain's subdomains be what is actually infected?  You seem 
> to have a bunch of them, maybe google is penalizing the whole domain over a 
> subdomain?  Not sure if they do that or not.
> 
> If your sites are running off of an application like wordpress, etc., you may 
> not get the same page that google gets and the application may have been 
> hacked.
> Here's a wget command you can use to make requests to your site pretending to 
> be google:
> 
> wget -c \
> --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=googlebot.html 'http://www.csulb.edu'
> 
> nanog will probably line wrap that user agent line making it not correct so 
> you'll have to put it back together correctly.  It will save the output to a 
> file named googlebot.html you can look at to see if anything weird ends up 
> being served.
> 
> David
> 
> 
>> -----Original Message-----
>> From: Matthew Black 
>> [mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>]
>> Sent: Tuesday, June 26, 2012 11:53 PM
>> To: nanog@nanog.org<mailto:nanog@nanog.org>
>> Subject: DNS poisoning at Google?
>> 
>> Google Safe Browsing and Firefox have marked our website as containing
>> malware. They claim our home page returns no results, but redirects
>> users to another compromised website couchtarts.com<http://couchtarts.com>.
>> 
>> We have thoroughly examined our root .htaccess and httpd.conf files
>> and are not redirecting to the problem target site. No recent changes
>> either.
>> 
>> We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>> 
>> We believe the DNS servers used by Google's crawler have been
>> poisoned.
>> 
>> Can anyone shed some light on this?
>> 
>> matthew black
>> information technology services
>> california state university, long beach
>> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>> 
>> 
>> 
> 
> 
> 
> 


Reply via email to