for example, from the commandline with telnet: morrowc@teensy:~$ telnet www.csulb.edu 80 Trying 134.139.1.60... Connected to gaggle.its.csulb.edu. Escape character is '^]'. GET / HTTP/1.0 Host: www.csulb.edu Referer: http://www.google.com/
HTTP/1.1 301 Moved Permanently Date: Wed, 27 Jun 2012 05:04:04 GMT Server: Apache/2.0.63 Location: http://www.couchtarts.com/media.php Content-Length: 243 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html> Connection closed by foreign host. oops :( fail. On Wed, Jun 27, 2012 at 1:13 AM, Ishmael Rufus <sakam...@gmail.com> wrote: > Invoking the referrer on your site recommends a redirect to couchtarts. I > agree with Jeremy and Jeff check your htaccess files, conf files and > anything that calls RewriteCond or Rewrite > > On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black > <matthew.bl...@csulb.edu>wrote: > >> Google Webtools reports a problem with our HOMEPAGE "/". That page is not >> redirecting anywhere. >> They also report problems with some 48 other primary sites, none of which >> redirect to the offending couchtarts. >> >> matthew black >> information technology services >> california state university, long beach >> >> >> >> >> >> -----Original Message----- >> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com] >> Sent: Tuesday, June 26, 2012 9:58 PM >> To: Matthew Black >> Cc: nanog@nanog.org >> Subject: Re: DNS poisoning at Google? >> >> It's not DNS. If you're sure there's no htaccess files in place, check >> your content (even that stored in a database) for anything that might be >> altering data based on referrer. This simple test shows what I mean: >> >> Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC >> "-//IETF//DTD HTML 2.0//EN"> <html><head> >> <title>301 Moved Permanently</title> >> </head><body> >> <h1>Moved Permanently</h1> >> <p>The document has moved <a href="http://www.couchtarts.com/media.php >> ">here</a>.</p> >> </body></html> >> >> Running curl without the -e argument gives the proper site contents. >> >> On Jun 26, 2012, at 9:24 PM, Matthew Black <matthew.bl...@csulb.edu> >> wrote: >> >> > Running Apache on three Solaris webservers behind a load balancer. No MS >> Windows! >> > >> > Not sure how malicious software could get between our load balancer and >> Unix servers. Thanks for the tip! >> > >> > matthew black >> > information technology services >> > california state university, long beach >> > >> > >> > >> > From: Landon Stewart [mailto:lstew...@superb.net] >> > Sent: Tuesday, June 26, 2012 9:07 PM >> > To: Matthew Black >> > Cc: nanog@nanog.org >> > Subject: Re: DNS poisoning at Google? >> > >> > Is it possible that some malicious software is listening and injecting a >> redirect on the wire? We've seen this before with a Windows machine being >> infected. >> > On 26 June 2012 20:53, Matthew Black <matthew.bl...@csulb.edu<mailto: >> matthew.bl...@csulb.edu>> wrote: >> > Google Safe Browsing and Firefox have marked our website as containing >> malware. They claim our home page returns no results, but redirects users >> to another compromised website couchtarts.com<http://couchtarts.com>. >> > >> > We have thoroughly examined our root .htaccess and httpd.conf files and >> are not redirecting to the problem target site. No recent changes either. >> > >> > We ran some NSLOOKUPs against various public DNS servers and >> intermittently get results that are NOT our servers. >> > >> > We believe the DNS servers used by Google's crawler have been poisoned. >> > >> > Can anyone shed some light on this? >> > >> > matthew black >> > information technology services >> > california state university, long beach >> > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu> >> > >> > >> > >> > -- >> > Landon Stewart <lstew...@superb.net<mailto:lstew...@superb.net>> >> > Sr. Administrator >> > Systems Engineering >> > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead >> > of the Rest": >> > http://www.superbhosting.net<http://www.superbhosting.net/> >> > >> >> >> >> >>