On Wed, Jun 27, 2012 at 1:26 AM, Matthew Black <matthew.bl...@csulb.edu> wrote: > Thank you for that helpful instruction! > > curl doesn't work because our webserver is firewalled against outbound > traffic. The telnet to port 80 showed me the problem. I also didn't > understand when output was placed at the end of the command line, instead of > starting on the next line...that looked like something I was supposed to type. >
sorry... often when I end up testing something like this I cut/paste from a buffer, so: telnet bloop 80 <paste> <return/return/return> read-output... In the case of your server: GET / HTTP/1.0 Host: www.csulb.edu Referer: http://www.google.com/ <empty-line!!> all gets pasted once the 'telnet www.csulb.edu 80' connects... the output is the stuff that includes the 'redirect to couchtarts'. -chris > > matthew black > information technology services > california state university, long beac > > -----Original Message----- > From: christopher.mor...@gmail.com [mailto:christopher.mor...@gmail.com] On > Behalf Of Christopher Morrow > Sent: Tuesday, June 26, 2012 10:17 PM > To: Ishmael Rufus > Cc: Matthew Black; nanog@nanog.org; Jeremy Hanmer > Subject: Re: DNS poisoning at Google? > > for example, from the commandline with telnet: > > morrowc@teensy:~$ telnet www.csulb.edu 80 Trying 134.139.1.60... > Connected to gaggle.its.csulb.edu. > Escape character is '^]'. > GET / HTTP/1.0 > Host: www.csulb.edu > Referer: http://www.google.com/ > > > > HTTP/1.1 301 Moved Permanently > Date: Wed, 27 Jun 2012 05:04:04 GMT > Server: Apache/2.0.63 > Location: http://www.couchtarts.com/media.php > Content-Length: 243 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> > <title>301 Moved Permanently</title> > </head><body> > <h1>Moved Permanently</h1> > <p>The document has moved <a > href="http://www.couchtarts.com/media.php";>here</a>.</p> > </body></html> > Connection closed by foreign host. > > > oops :( fail. > > On Wed, Jun 27, 2012 at 1:13 AM, Ishmael Rufus <sakam...@gmail.com> wrote: >> Invoking the referrer on your site recommends a redirect to >> couchtarts. I agree with Jeremy and Jeff check your htaccess files, >> conf files and anything that calls RewriteCond or Rewrite >> >> On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black >> <matthew.bl...@csulb.edu>wrote: >> >>> Google Webtools reports a problem with our HOMEPAGE "/". That page is >>> not redirecting anywhere. >>> They also report problems with some 48 other primary sites, none of >>> which redirect to the offending couchtarts. >>> >>> matthew black >>> information technology services >>> california state university, long beach >>> >>> >>> >>> >>> >>> -----Original Message----- >>> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com] >>> Sent: Tuesday, June 26, 2012 9:58 PM >>> To: Matthew Black >>> Cc: nanog@nanog.org >>> Subject: Re: DNS poisoning at Google? >>> >>> It's not DNS. If you're sure there's no htaccess files in place, >>> check your content (even that stored in a database) for anything that >>> might be altering data based on referrer. This simple test shows what I >>> mean: >>> >>> Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML >>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> >>> <title>301 Moved Permanently</title> >>> </head><body> >>> <h1>Moved Permanently</h1> >>> <p>The document has moved <a >>> href="http://www.couchtarts.com/media.php >>> ">here</a>.</p> >>> </body></html> >>> >>> Running curl without the -e argument gives the proper site contents. >>> >>> On Jun 26, 2012, at 9:24 PM, Matthew Black <matthew.bl...@csulb.edu> >>> wrote: >>> >>> > Running Apache on three Solaris webservers behind a load balancer. >>> > No MS >>> Windows! >>> > >>> > Not sure how malicious software could get between our load balancer >>> > and >>> Unix servers. Thanks for the tip! >>> > >>> > matthew black >>> > information technology services >>> > california state university, long beach >>> > >>> > >>> > >>> > From: Landon Stewart [mailto:lstew...@superb.net] >>> > Sent: Tuesday, June 26, 2012 9:07 PM >>> > To: Matthew Black >>> > Cc: nanog@nanog.org >>> > Subject: Re: DNS poisoning at Google? >>> > >>> > Is it possible that some malicious software is listening and >>> > injecting a >>> redirect on the wire? We've seen this before with a Windows machine >>> being infected. >>> > On 26 June 2012 20:53, Matthew Black <matthew.bl...@csulb.edu<mailto: >>> matthew.bl...@csulb.edu>> wrote: >>> > Google Safe Browsing and Firefox have marked our website as >>> > containing >>> malware. They claim our home page returns no results, but redirects >>> users to another compromised website couchtarts.com<http://couchtarts.com>. >>> > >>> > We have thoroughly examined our root .htaccess and httpd.conf files >>> > and >>> are not redirecting to the problem target site. No recent changes either. >>> > >>> > We ran some NSLOOKUPs against various public DNS servers and >>> intermittently get results that are NOT our servers. >>> > >>> > We believe the DNS servers used by Google's crawler have been poisoned. >>> > >>> > Can anyone shed some light on this? >>> > >>> > matthew black >>> > information technology services >>> > california state university, long beach >>> > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu> >>> > >>> > >>> > >>> > -- >>> > Landon Stewart <lstew...@superb.net<mailto:lstew...@superb.net>> >>> > Sr. Administrator >>> > Systems Engineering >>> > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more >>> > "Ahead of the Rest": >>> > http://www.superbhosting.net<http://www.superbhosting.net/> >>> > >>> >>> >>> >>> >>> > >
