On 6/27/2012 1:13 AM, Matthew Black wrote: > I'm not familiar with curl and don't understand what I type and what are > results. Are you suggesting that when google refers to our website, we pick > that up and redirect to couchtarts? > > matthew black > information technology services > california state university, long beach
Referer is an HTTP header that can be included in requests to your web server - http://en.wikipedia.org/wiki/HTTP_referer "man curl" -e, --referer <URL> (HTTP) Sends the "Referer Page" information to the HTTP server. This can also be set with the -H, --header flag of course. When used with -L, --location you can append ";auto" to the --referer URL to make curl automatically set the previous URL when it follows a Location: header. The ";auto" string can be used alone, even if you don't set an initial --referer. $ curl -v -e 'http://google.com' csulb.edu * About to connect() to csulb.edu port 80 (#0) * Trying 134.139.1.60... * connected * Connected to csulb.edu (134.139.1.60) port 80 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-pc-linux-gnu) libcurl/7.24.0 OpenSSL/1.0.0g zlib/1.2.5 > Host: csulb.edu > Accept: */* > Referer: http://google.com > < HTTP/1.1 301 Moved Permanently < Date: Wed, 27 Jun 2012 05:11:39 GMT < Server: Apache/2.0.63 < Location: http://www.couchtarts.com/media.php < Content-Length: 243 < Connection: close < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="http://www.couchtarts.com/media.php">here</a>.</p> </body></html> * Closing connection #0 -DMM > > > > > -----Original Message----- > From: Jeremy Hanmer [mailto:jer...@hq.newdream.net] > Sent: Tuesday, June 26, 2012 9:59 PM > To: Matthew Black > Cc: nanog@nanog.org > Subject: Re: DNS poisoning at Google? > > It's not DNS. If you're sure there's no htaccess files in place, check your > content (even that stored in a database) for anything that might be altering > data based on referrer. This simple test shows what I mean: > > Airy:~ user$ curl -e 'http://google.com' csulb.edu <!DOCTYPE HTML PUBLIC > "-//IETF//DTD HTML 2.0//EN"> <html><head> > <title>301 Moved Permanently</title> > </head><body> > <h1>Moved Permanently</h1> > <p>The document has moved <a > href="http://www.couchtarts.com/media.php">here</a>.</p> > </body></html> > > Running curl without the -e argument gives the proper site contents. > > On Jun 26, 2012, at 9:35 PM, Matthew Black <matthew.bl...@csulb.edu> wrote: > >> Yes, we've used the Google Webmaster Tools a lot today. Submitted multiple >> requests and they keep insisting that our site issues a redirect. Unable to >> duplicate the problem here. >> >> matthew black >> information technology services >> california state university, long beach >> >> From: Ishmael Rufus [mailto:sakam...@gmail.com] >> Sent: Tuesday, June 26, 2012 9:34 PM >> To: Matthew Black >> Cc: David Hubbard; nanog@nanog.org >> Subject: Re: DNS poisoning at Google? >> >> Have you tried using Google Webmaster tools? >> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black >> <matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>> wrote: >> Running Apache on three Solaris servers behind a load balancer. >> >> I forgot how to lookup our AS number to see if it matches couchtarts. >> >> matthew black >> information technology services >> california state university, long beach >> >> -----Original Message----- >> From: David Hubbard >> [mailto:dhubb...@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus >> .com>] >> Sent: Tuesday, June 26, 2012 9:14 PM >> To: nanog@nanog.org<mailto:nanog@nanog.org> >> Subject: RE: DNS poisoning at Google? >> >> Typically if google were pulling your site sometimes from the wrong IP, >> their safe browsing page should indicate it being on another AS number in >> addition to the correct one 2152: >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht >> tp ://www.csulb.edu<http://www.csulb.edu> >> >> For example, the couchtarts site they claim yours is redirecting to: >> >> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht >> tp ://www.couchtarts.com<http://www.couchtarts.com> >> >> That site's DNS is screwed up and some requests are sent to a different IP >> at a different host, so Google picked up both AS numbers. >> >> Could one of your domain's subdomains be what is actually infected? You >> seem to have a bunch of them, maybe google is penalizing the whole domain >> over a subdomain? Not sure if they do that or not. >> >> If your sites are running off of an application like wordpress, etc., you >> may not get the same page that google gets and the application may have been >> hacked. >> Here's a wget command you can use to make requests to your site pretending >> to be google: >> >> wget -c \ >> --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; >> +http://www.google.com/bot.html)" \ >> --output-document=googlebot.html 'http://www.csulb.edu' >> >> nanog will probably line wrap that user agent line making it not correct so >> you'll have to put it back together correctly. It will save the output to a >> file named googlebot.html you can look at to see if anything weird ends up >> being served. >> >> David >> >> >>> -----Original Message----- >>> From: Matthew Black >>> [mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>] >>> Sent: Tuesday, June 26, 2012 11:53 PM >>> To: nanog@nanog.org<mailto:nanog@nanog.org> >>> Subject: DNS poisoning at Google? >>> >>> Google Safe Browsing and Firefox have marked our website as >>> containing malware. They claim our home page returns no results, but >>> redirects users to another compromised website >>> couchtarts.com<http://couchtarts.com>. >>> >>> We have thoroughly examined our root .htaccess and httpd.conf files >>> and are not redirecting to the problem target site. No recent changes >>> either. >>> >>> We ran some NSLOOKUPs against various public DNS servers and >>> intermittently get results that are NOT our servers. >>> >>> We believe the DNS servers used by Google's crawler have been >>> poisoned. >>> >>> Can anyone shed some light on this? >>> >>> matthew black >>> information technology services >>> california state university, long beach >>> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu> >>> >>> >>> >> >> >> > > >