Google Safe Browsing and Firefox have marked our website as containing malware.
They claim our home page returns no results, but redirects users to another
compromised website couchtarts.com.
We have thoroughly examined our root .htaccess and httpd.conf files and are not
redirecting to the prob
Accidentally sent that to Matthew only,
mind sharing the domain name?
On Tue, Jun 26, 2012 at 11:53 PM, Matthew Black wrote:
> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users to
> another comprom
Is it possible that some malicious software is listening and injecting a
redirect on the wire? We've seen this before with a Windows machine being
infected.
On 26 June 2012 20:53, Matthew Black wrote:
> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim
I'm glad I'm not the only one that miss this one:
http://www.csulb.edu
It is in his signature and email address as well ;)
On Tue, Jun 26, 2012 at 11:04 PM, Sadiq Saif wrote:
> Accidentally sent that to Matthew only,
>
> mind sharing the domain name?
>
> On Tue, Jun 26, 2012 at 11:53 PM, Mat
I am also getting the same issue when accessing his website.
On Tue, Jun 26, 2012 at 11:07 PM, Landon Stewart wrote:
> Is it possible that some malicious software is listening and injecting a
> redirect on the wire? We've seen this before with a Windows machine being
> infected.
>
> On 26 June 2
On Jun 26, 2012, at 9:07 PM, Ishmael Rufus wrote:
> I'm glad I'm not the only one that miss this one:
>
> http://www.csulb.edu
>
> It is in his signature and email address as well ;)
The queries do seem to be taking a number of seconds, though, as opposed to
being nearly instant when I refere
Original Message-
> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
> Sent: Tuesday, June 26, 2012 11:53 PM
> To: nanog@nanog.org
> Subject: DNS poisoning at Google?
>
> Google Safe Browsing and Firefox have marked our website as
> containing malware. They claim our home page r
DNS seems to check out from here. Tested against Google DNS, OpenDNS
and Linode's DNS servers.
According to Google:
"Malicious software is hosted on 1 domain(s), including couchtarts.com/."
Normally, I would say this happens due to malicious ads loaded but
this does not seem to be a site that wil
On Jun 26, 2012, at 10:53 PM, Matthew Black wrote:
> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users to
> another compromised website couchtarts.com.
>
> We have thoroughly examined our root .hta
Stewart [mailto:lstew...@superb.net]
Sent: Tuesday, June 26, 2012 9:07 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
Is it possible that some malicious software is listening and injecting a
redirect on the wire? We've seen this before with a Windows machine
...@dino.hostasaurus.com]
Sent: Tuesday, June 26, 2012 9:14 PM
To: nanog@nanog.org
Subject: RE: DNS poisoning at Google?
Typically if google were pulling your site sometimes from the wrong IP, their
safe browsing page should indicate it being on another AS number in addition to
the correct one 2152:
http
echnology services
> california state university, long beach
>
>
> -Original Message-
> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org
> Subject: RE: DNS poisoning at Google?
>
> Typically if
; matthew black
> information technology services
> california state university, long beach
>
>
> -Original Message-
> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org
> Subject: RE: DNS poisoni
[mailto:sakam...@gmail.com]
Sent: Tuesday, June 26, 2012 9:34 PM
To: Matthew Black
Cc: David Hubbard; nanog@nanog.org
Subject: Re: DNS poisoning at Google?
Have you tried using Google Webmaster tools?
On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black
mailto:matthew.bl...@csulb.edu>> wrote:
Running Apa
On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:
> Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple
> requests and they keep insisting that our site issues a redirect. Unable to
> duplicate the problem here.
… have you consulted the logs?
If the redirect is there, it
]
> Sent: Tuesday, June 26, 2012 9:34 PM
> To: Matthew Black
> Cc: David Hubbard; nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> Have you tried using Google Webmaster tools?
> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black
> mailto:matthew.bl...@csulb.edu>&
.
matthew black
information technology services
california state university, long beach
-Original Message-
From: Michael J Wise [mailto:mjw...@kapu.net]
Sent: Tuesday, June 26, 2012 9:56 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
On Jun 26, 2012, at 9
long beach
-Original Message-
From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check
On 06/26/2012 11:05 PM, Matthew Black wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which
redirect to the offending couchtarts.
Except it is redirecting as shown by Jer
--Original Message-
From: Jeremy Hanmer [mailto:jer...@hq.newdream.net]
Sent: Tuesday, June 26, 2012 9:59 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check your
content (even that
itor comes in from a
google search.
> -Original Message-
> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
> Sent: Wednesday, June 27, 2012 1:03 AM
> To: Michael J Wise
> Cc: nanog@nanog.org
> Subject: RE: DNS poisoning at Google?
>
> Q:have you consulte
>
>
>
>
>
> -Original Message-
> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> It's not DNS. If you're sure there
redirect to the offending couchtarts.
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>>
>>
>>
>>
>> -Original Message-
>> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.c
Original Message-
> From: Jeremy Hanmer [mailto:jer...@hq.newdream.net]
> Sent: Tuesday, June 26, 2012 9:59 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> It's not DNS. If you're sure there's no htaccess files in
--Original Message-
>> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
>> Sent: Wednesday, June 27, 2012 1:03 AM
>> To: Michael J Wise
>> Cc: nanog@nanog.org
>> Subject: RE: DNS poisoning at Google?
>>
>> Q:have you consulted the logs?
>>
>>
2 10:17 PM
To: Ishmael Rufus
Cc: Matthew Black; nanog@nanog.org; Jeremy Hanmer
Subject: Re: DNS poisoning at Google?
for example, from the commandline with telnet:
morrowc@teensy:~$ telnet www.csulb.edu 80 Trying 134.139.1.60...
Connected to gaggle.its.csulb.edu.
Escape character is '^]'.
In article
you
write:
>I'm not familiar with curl and don't understand what I type and what are
>results. Are you suggesting that when
>google refers to our website, we pick that up and redirect to couchtarts?
curl is a command line www client that's worth knowing about.
And I observe the sam
alifornia state university, long beac
>
> -Original Message-
> From: christopher.mor...@gmail.com [mailto:christopher.mor...@gmail.com] On
> Behalf Of Christopher Morrow
> Sent: Tuesday, June 26, 2012 10:17 PM
> To: Ishmael Rufus
> Cc: Matthew Black; nanog@nanog.org; Jeremy
: Matthew Black
Subject: Re: DNS poisoning at Google?
In article
you
write:
>I'm not familiar with curl and don't understand what I type and what
>are results. Are you suggesting that when google refers to our website, we
>pick that up and redirect to couchtarts?
curl i
matthew black
> information technology services
> california state university, long beach
>
>
>
>
>
> -Original Message-
> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
> Cc: nanog@nanog.o
atthew Black
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check your
content (even that stored in a database) for anything that might be altering
data based on referrer. This simpl
ouring for that hidden redirect to couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart [mailto:lstew...@superb.net]
> Sent: Tuesday, June 26, 2012 10:37 PM
> To: Matthew Black
> Cc: Je
ck
> > information technology services
> > california state university, long beach
> >
> >
> >
> >
> >
> > -Original Message-
> > From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
> > Sent: Tuesday, June 26, 2012 9:58 PM
> > To: Matt
tate university, long beach
>
> ** **
>
> *From:* Grant Ridder [mailto:shortdudey...@gmail.com]
> *Sent:* Tuesday, June 26, 2012 10:53 PM
> *To:* Matthew Black
> *Cc:* Landon Stewart; nanog@nanog.org; Jeremy Hanmer
>
> *Subject:* Re: DNS poisoning at Google?
>
&g
Hanmer
Subject: Re: DNS poisoning at Google?
It also redirects with facebook, youtube, and ebay but NOT amazon.
-Grant
On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black
mailto:matthew.bl...@csulb.edu>> wrote:
Our web lead was able to run curl. Thanks.
matthew black
information technology se
ity, long beach
>
> From: Grant Ridder [mailto:shortdudey...@gmail.com]
> Sent: Tuesday, June 26, 2012 11:02 PM
> To: Matthew Black; nanog@nanog.org
> Cc: Jeremy Hanmer
> Subject: Re: DNS poisoning at Google?
>
> It also redirects with facebook, youtube, and ebay but NOT
Ahh, but how did it get there in the first place. Matthew, meet can of worms. I
presume you have an opener.
--
ian
-Original Message-
From: Matthew Black
Sent: 27/06/2012, 08:07
To: Grant Ridder; nanog@nanog.org
Cc: Jeremy Hanmer
Subject: RE: DNS poisoning at Google?
We found the
: Tuesday, June 26, 2012 11:02 PM
> > To: Matthew Black; nanog@nanog.org
> > Cc: Jeremy Hanmer
> > Subject: Re: DNS poisoning at Google?
> >
> > It also redirects with facebook, youtube, and ebay but NOT amazon.
> >
> > -Grant
> >
> > On
On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:
> We found the aberrant .htaccess file and have removed it. What a mess!
Trusting you carefully noted the date/time stamp before removing it, as that's
an important bit of forensics.
Aloha,
Michael.
--
"Please have your Internet License
On Jun 27, 2012, at 3:36 AM, Michael J Wise wrote:
>
> On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:
>
>> We found the aberrant .htaccess file and have removed it. What a mess!
>
>
> Trusting you carefully noted the date/time stamp before removing it, as
> that's an important bit of for
This may not help Matt now, but I just came across this today and
believe it may help others who have to deal with incidents:
http://cert.societegenerale.com/en/publications.html --> "IRM (Incident
Response Methodologies)"
If you changed the file contents before noting the created date,
mod
:37 AM
To: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:
> We found the aberrant .htaccess file and have removed it. What a mess!
Trusting you carefully noted the date/time stamp before removing it, as that's
an importan
On Wed, Jun 27, 2012 at 9:48 AM, Matthew Black wrote:
> Yes, we did that and also noted the username and IP address from where the
> FTP upload originated.
It came from an FTP upload? Why I outta ... ;-)
On Wed, Jun 27, 2012 at 03:53:17AM +,
Matthew Black wrote
a message of 18 lines which said:
> We believe the DNS servers used by Google's crawler have been poisoned.
[After reading the whole thread and discovering that Google was indeed
right.]
What made you think it can be a DNS cache p
On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer wrote:
What made you think it can be a DNS cache poisoning (a very rare
> event, despite what the media say) when there are many much more
> realistic possibilities (specially for a Web site written in
> PHP)?
>
> What was the evidence pointing
It was not DNS issue, but it was a clear case on how community-support helped.
Some of us may even learn some new tricks. :)
Regards,
as
Sent from mobile device. Excuse brevity and typos.
On 27 Jun 2012, at 05:07, Daniel Rohan wrote:
> On Wed, Jun 27, 2012 at 10:50 AM, Stephane Bortzmeyer
What would be nice is the to see the contents of the htaccess file
(obviously with sensitive information excluded)
On Wed, Jun 27, 2012 at 10:14:12AM -0300, Arturo Servin wrote:
>
> It was not DNS issue, but it was a clear case on how community-support helped.
>
> Some of us may even learn some
On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:
>
> What would be nice is the to see the contents of the htaccess file
> (obviously with sensitive information excluded)
I cleaned up compromises similar to this in a customer site fairly recently.
In our case it was the same exact behavi
On Jun 27, 2012, at 10:10 AM, Ryan Rawdon wrote:
>
>
> On Jun 27, 2012, at 9:26 AM, Jason Hellenthal wrote:
>
>>
>> What would be nice is the to see the contents of the htaccess file
>> (obviously with sensitive information excluded)
>
>
> I cleaned up compromises similar to this in a custo
university, long beach
-Original Message-
From: Jason Hellenthal [mailto:jhellent...@dataix.net]
Sent: Wednesday, June 27, 2012 6:26 AM
To: Arturo Servin
Cc: nanog@nanog.org
Subject: Re: No DNS poisoning at Google (in case of trouble, blame the DNS)
What would be nice is the to see the
california state university, long beach
-Original Message-
From: Matthew Black [mailto:matthew.bl...@csulb.edu]
Sent: Wednesday, June 27, 2012 9:52 AM
To: 'Jason Hellenthal'; Arturo Servin
Cc: nanog@nanog.org
Subject: RE: No DNS poisoning at Google (in case of trouble, bla
information technology services
california state university, long beach
-Original Message-
From: Jason Hellenthal [mailto:jhellent...@dataix.net]
Sent: Wednesday, June 27, 2012 6:26 AM
To: Arturo Servin
Cc: nanog@nanog.org
Subject: Re: No DNS poisoning at Google (in case of trouble, blame the
On 27 June 2012 09:50, Stephane Bortzmeyer wrote:
>(specially for a Web site written in
> PHP)?
>
We software makers have a problem, when a customer ask for a
application, often theres a wen project that already do it ( for the
most part is a round peg on a round hole). So a natural solution is
On 28 Jun 2012, at 08:05, Tei wrote:
> On 27 June 2012 09:50, Stephane Bortzmeyer wrote:
>> (specially for a Web site written in
>> PHP)?
>>
>
> We software makers have a problem, when a customer ask for a
> application, often theres a wen project that already do it ( for the
> most part is a
On 28 June 2012 14:48, Arturo Servin wrote:
...
>
> Think about sql injection, they are not only to specific platforms but
> to general bad programming practices.
If you are already a good programmer, writing code that is safe
against sql inyections is trivial. So is not a real problem,
On 6/28/2012 6:05 AM, Tei wrote:
If you use these project that already do 99% of what the customer
need, plus a 120% the customer not need (and perhaps don't want). The
code quality will be normally be good, with **horrible** exceptions.
But sooner or later, (weeks) there will be exploits for
niversity, long beach
>
>
>
> -Original Message-
> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
> Sent: Wednesday, June 27, 2012 9:52 AM
> To: 'Jason Hellenthal'; Arturo Servin
> Cc: nanog@nanog.org
> Subject: RE: No DNS poisoning at Google (in
h speed internet access to 100 Percent of Southern Utah. We are
>> located in St George, Utah.
>>
>>
>>
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>>
>>
>> -Original
58 matches
Mail list logo