It's not DNS. If you're sure there's no htaccess files in place, check your content (even that stored in a database) for anything that might be altering data based on referrer. This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html> Running curl without the -e argument gives the proper site contents. On Jun 26, 2012, at 9:35 PM, Matthew Black <matthew.bl...@csulb.edu> wrote: > Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple > requests and they keep insisting that our site issues a redirect. Unable to > duplicate the problem here. > > matthew black > information technology services > california state university, long beach > > From: Ishmael Rufus [mailto:sakam...@gmail.com] > Sent: Tuesday, June 26, 2012 9:34 PM > To: Matthew Black > Cc: David Hubbard; nanog@nanog.org > Subject: Re: DNS poisoning at Google? > > Have you tried using Google Webmaster tools? > On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black > <matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>> wrote: > Running Apache on three Solaris servers behind a load balancer. > > I forgot how to lookup our AS number to see if it matches couchtarts. > > matthew black > information technology services > california state university, long beach > > -----Original Message----- > From: David Hubbard > [mailto:dhubb...@dino.hostasaurus.com<mailto:dhubb...@dino.hostasaurus.com>] > Sent: Tuesday, June 26, 2012 9:14 PM > To: nanog@nanog.org<mailto:nanog@nanog.org> > Subject: RE: DNS poisoning at Google? > > Typically if google were pulling your site sometimes from the wrong IP, their > safe browsing page should indicate it being on another AS number in addition > to the correct one 2152: > > http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http > ://www.csulb.edu<http://www.csulb.edu> > > For example, the couchtarts site they claim yours is redirecting to: > > http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http > ://www.couchtarts.com<http://www.couchtarts.com> > > That site's DNS is screwed up and some requests are sent to a different IP at > a different host, so Google picked up both AS numbers. > > Could one of your domain's subdomains be what is actually infected? You seem > to have a bunch of them, maybe google is penalizing the whole domain over a > subdomain? Not sure if they do that or not. > > If your sites are running off of an application like wordpress, etc., you may > not get the same page that google gets and the application may have been > hacked. > Here's a wget command you can use to make requests to your site pretending to > be google: > > wget -c \ > --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; > +http://www.google.com/bot.html)" \ > --output-document=googlebot.html 'http://www.csulb.edu' > > nanog will probably line wrap that user agent line making it not correct so > you'll have to put it back together correctly. It will save the output to a > file named googlebot.html you can look at to see if anything weird ends up > being served. > > David > > >> -----Original Message----- >> From: Matthew Black >> [mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>] >> Sent: Tuesday, June 26, 2012 11:53 PM >> To: nanog@nanog.org<mailto:nanog@nanog.org> >> Subject: DNS poisoning at Google? >> >> Google Safe Browsing and Firefox have marked our website as containing >> malware. They claim our home page returns no results, but redirects >> users to another compromised website couchtarts.com<http://couchtarts.com>. >> >> We have thoroughly examined our root .htaccess and httpd.conf files >> and are not redirecting to the problem target site. No recent changes >> either. >> >> We ran some NSLOOKUPs against various public DNS servers and >> intermittently get results that are NOT our servers. >> >> We believe the DNS servers used by Google's crawler have been >> poisoned. >> >> Can anyone shed some light on this? >> >> matthew black >> information technology services >> california state university, long beach >> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu> >> >> >> > > > >