The fun part will be figuring out how it got there. :) Sent from my iPhone
On Jun 27, 2012, at 12:06 AM, Matthew Black <matthew.bl...@csulb.edu> wrote: > We found the aberrant .htaccess file and have removed it. What a mess! > > matthew black > information technology services > california state university, long beach > > From: Grant Ridder [mailto:shortdudey...@gmail.com] > Sent: Tuesday, June 26, 2012 11:02 PM > To: Matthew Black; nanog@nanog.org > Cc: Jeremy Hanmer > Subject: Re: DNS poisoning at Google? > > It also redirects with facebook, youtube, and ebay but NOT amazon. > > -Grant > > On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black > <matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>> wrote: > Our web lead was able to run curl. Thanks. > > matthew black > information technology services > california state university, long beach > > From: Grant Ridder > [mailto:shortdudey...@gmail.com<mailto:shortdudey...@gmail.com>] > Sent: Tuesday, June 26, 2012 10:53 PM > To: Matthew Black > Cc: Landon Stewart; nanog@nanog.org<mailto:nanog@nanog.org>; Jeremy Hanmer > > Subject: Re: DNS poisoning at Google? > > Matt, what happens you get on a subnet that can access the webservers > directly and bypass the load balancer. Try curl then and see if its > something w/ the webserver or load balancer. > > -Grant > On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black > <matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>> wrote: > Thanks again to everyone who helped. I didn't know what to enter with curl, > because Outlook clobbered the line breaks in Jeremy's original message. > > Also, curl failed on our primary webserver because of firewall and load > balancer magic settings. The Telnet method worked better! > > Our team is now scouring for that hidden redirect to couchtarts. > > matthew black > information technology services > california state university, long beach > > From: Landon Stewart [mailto:lstew...@superb.net<mailto:lstew...@superb.net>] > Sent: Tuesday, June 26, 2012 10:37 PM > To: Matthew Black > Cc: Jeremy Hanmer; nanog@nanog.org<mailto:nanog@nanog.org> > Subject: Re: DNS poisoning at Google? > There is definitely a 301 redirect. > > $ curl -I --referer http://www.google.com/ http://www.csulb.edu/ > HTTP/1.1<http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently > Date: Wed, 27 Jun 2012 05:36:31 GMT > Server: Apache/2.0.63 > Location: http://www.couchtarts.com/media.php > Connection: close > Content-Type: text/html; charset=iso-8859-1 > On 26 June 2012 22:05, Matthew Black > <matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>> > wrote: > Google Webtools reports a problem with our HOMEPAGE "/". That page is not > redirecting anywhere. > They also report problems with some 48 other primary sites, none of which > redirect to the offending couchtarts. > > matthew black > information technology services > california state university, long beach > > > > > -----Original Message----- > From: Jeremy Hanmer > [mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com><mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com>>] > Sent: Tuesday, June 26, 2012 9:58 PM > To: Matthew Black > Cc: > nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>> > Subject: Re: DNS poisoning at Google? > It's not DNS. If you're sure there's no htaccess files in place, check your > content (even that stored in a database) for anything that might be altering > data based on referrer. This simple test shows what I mean: > Airy:~ user$ curl -e 'http://google.com' > csulb.edu<http://csulb.edu><http://csulb.edu> <!DOCTYPE HTML PUBLIC > "-//IETF//DTD HTML 2.0//EN"> <html><head> > <title>301 Moved Permanently</title> > </head><body> > <h1>Moved Permanently</h1> > <p>The document has moved <a > href="http://www.couchtarts.com/media.php";>here</a>.</p> > </body></html> > > Running curl without the -e argument gives the proper site contents. > On Jun 26, 2012, at 9:24 PM, Matthew Black > <matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>> > wrote: > >> Running Apache on three Solaris webservers behind a load balancer. No MS >> Windows! >> >> Not sure how malicious software could get between our load balancer and Unix >> servers. Thanks for the tip! >> >> matthew black >> information technology services >> california state university, long beach >> >> >> >> From: Landon Stewart >> [mailto:lstew...@superb.net<mailto:lstew...@superb.net><mailto:lstew...@superb.net<mailto:lstew...@superb.net>>] >> Sent: Tuesday, June 26, 2012 9:07 PM >> To: Matthew Black >> Cc: >> nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>> >> Subject: Re: DNS poisoning at Google? >> >> Is it possible that some malicious software is listening and injecting a >> redirect on the wire? We've seen this before with a Windows machine being >> infected. >> On 26 June 2012 20:53, Matthew Black >> <matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>> >> wrote: >> Google Safe Browsing and Firefox have marked our website as containing >> malware. They claim our home page returns no results, but redirects users to >> another compromised website >> couchtarts.com<http://couchtarts.com><http://couchtarts.com><http://couchtarts.com>. >> >> We have thoroughly examined our root .htaccess and httpd.conf files and are >> not redirecting to the problem target site. No recent changes either. >> >> We ran some NSLOOKUPs against various public DNS servers and intermittently >> get results that are NOT our servers. >> >> We believe the DNS servers used by Google's crawler have been poisoned. >> >> Can anyone shed some light on this? >> >> matthew black >> information technology services >> california state university, long beach >> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu><http://www.csulb.edu><http://www.csulb.edu> >> >> >> >> -- >> Landon Stewart >> <lstew...@superb.net<mailto:lstew...@superb.net<mailto:lstew...@superb.net><mailto:lstew...@superb.net<mailto:lstew...@superb.net>>>> >> Sr. Administrator >> Systems Engineering >> Superb Internet Corp - 888-354-6128 x >> 4199<tel:888-354-6128%20x%204199><tel:888-354-6128%20x%204199> Web hosting >> and more "Ahead >> of the Rest": >> http://www.superbhosting.net<http://www.superbhosting.net/> >> > > > > > > > -- > Landon Stewart > <lstew...@superb.net<mailto:lstew...@superb.net<mailto:lstew...@superb.net>>> > Sr. Administrator > Systems Engineering > Superb Internet Corp - 888-354-6128 x 4199<tel:888-354-6128%20x%204199> > Web hosting and more "Ahead of the Rest": > http://www.superbhosting.net<http://www.superbhosting.net/> > >
