RE: DNS poisoning at Google?

[Matthew Black <Matthew.Black () csulb edu>]

Thank you for that helpful instruction!

curl doesn't work because our webserver is firewalled against outbound traffic. The telnet to port 80 showed me the 
problem. I also didn't understand when output was placed at the end of the command line, instead of starting on the 
next line...that looked like something I was supposed to type.


matthew black
information technology services
california state university, long beac

-----Original Message-----
From: christopher.morrow () gmail com [mailto:christopher.morrow () gmail com] On Behalf Of Christopher Morrow
Sent: Tuesday, June 26, 2012 10:17 PM
To: Ishmael Rufus
Cc: Matthew Black; nanog () nanog org; Jeremy Hanmer
Subject: Re: DNS poisoning at Google?

for example, from the commandline with telnet:

morrowc@teensy:~$ telnet www.csulb.edu 80 Trying 134.139.1.60...
Connected to gaggle.its.csulb.edu.
Escape character is '^]'.
GET / HTTP/1.0
Host: www.csulb.edu
Referer: http://www.google.com/



HTTP/1.1 301 Moved Permanently
Date: Wed, 27 Jun 2012 05:04:04 GMT
Server: Apache/2.0.63
Location: http://www.couchtarts.com/media.php
Content-Length: 243
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a
href="http://www.couchtarts.com/media.php";>here</a>.</p>
</body></html>
Connection closed by foreign host.


oops :( fail.

On Wed, Jun 27, 2012 at 1:13 AM, Ishmael Rufus <sakamura () gmail com> wrote:
> Invoking the referrer on your site recommends a redirect to 
> couchtarts. I agree with Jeremy and Jeff check your htaccess files, 
> conf files and anything that  calls RewriteCond or Rewrite
>
> On Wed, Jun 27, 2012 at 12:05 AM, Matthew Black <Matthew.Black () csulb edu>wrote:
>
> > Google Webtools reports a problem with our HOMEPAGE "/". That page is 
> > not redirecting anywhere.
> > They also report problems with some 48 other primary sites, none of 
> > which redirect to the offending couchtarts.
> >
> > matthew black
> > information technology services
> > california state university, long beach
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Jeremy Hanmer [mailto:jeremy.hanmer () dreamhost com]
> > Sent: Tuesday, June 26, 2012 9:58 PM
> > To: Matthew Black
> > Cc: nanog () nanog org
> > Subject: Re: DNS poisoning at Google?
> >
> > It's not DNS.  If you're sure there's no htaccess files in place, 
> > check your content (even that stored in a database) for anything that 
> > might be altering data based on referrer.  This simple test shows what I mean:
> >
> > Airy:~ user$ curl -e 'http://google.com&apos; csulb.edu <!DOCTYPE HTML 
> > PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head>
> > <title>301 Moved Permanently</title>
> > </head><body>
> > <h1>Moved Permanently</h1>
> > <p>The document has moved <a 
> > href="http://www.couchtarts.com/media.php
> > ">here</a>.</p>
> > </body></html>
> >
> > Running curl without the -e argument gives the proper site contents.
> >
> > On Jun 26, 2012, at 9:24 PM, Matthew Black <Matthew.Black () csulb edu>
> > wrote:
> >
> > > Running Apache on three Solaris webservers behind a load balancer. 
> > > No MS
> > Windows!
> > > Not sure how malicious software could get between our load balancer 
> > > and
> > Unix servers. Thanks for the tip!
> > > matthew black
> > > information technology services
> > > california state university, long beach
> > >
> > >
> > >
> > > From: Landon Stewart [mailto:lstewart () superb net]
> > > Sent: Tuesday, June 26, 2012 9:07 PM
> > > To: Matthew Black
> > > Cc: nanog () nanog org
> > > Subject: Re: DNS poisoning at Google?
> > >
> > > Is it possible that some malicious software is listening and 
> > > injecting a
> > redirect on the wire?  We've seen this before with a Windows machine 
> > being infected.
> > > On 26 June 2012 20:53, Matthew Black <Matthew.Black () csulb edu<mailto:
> > Matthew.Black () csulb edu>> wrote:
> > > Google Safe Browsing and Firefox have marked our website as 
> > > containing
> > malware. They claim our home page returns no results, but redirects 
> > users to another compromised website couchtarts.com<http://couchtarts.com>.
> > > We have thoroughly examined our root .htaccess and httpd.conf files 
> > > and
> > are not redirecting to the problem target site. No recent changes either.
> > > We ran some NSLOOKUPs against various public DNS servers and
> > intermittently get results that are NOT our servers.
> > > We believe the DNS servers used by Google's crawler have been poisoned.
> > >
> > > Can anyone shed some light on this?
> > >
> > > matthew black
> > > information technology services
> > > california state university, long beach 
> > > www.csulb.edu<http://www.csulb.edu><http://www.csulb.edu>
> > >
> > >
> > >
> > > --
> > > Landon Stewart <LStewart () Superb Net<mailto:LStewart () Superb Net>>
> > > Sr. Administrator
> > > Systems Engineering
> > > Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more 
> > > "Ahead of the Rest":
> > > http://www.superbhosting.net<http://www.superbhosting.net/>