On Wed, Jun 27, 2012 at 9:48 AM, Matthew Black wrote:
> Yes, we did that and also noted the username and IP address from where the
> FTP upload originated.
It came from an FTP upload? Why I outta ... ;-)
:37 AM
To: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:
> We found the aberrant .htaccess file and have removed it. What a mess!
Trusting you carefully noted the date/time stamp before removing it, as that's
an importan
This may not help Matt now, but I just came across this today and
believe it may help others who have to deal with incidents:
http://cert.societegenerale.com/en/publications.html --> "IRM (Incident
Response Methodologies)"
If you changed the file contents before noting the created date,
mod
On Jun 27, 2012, at 3:36 AM, Michael J Wise wrote:
>
> On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:
>
>> We found the aberrant .htaccess file and have removed it. What a mess!
>
>
> Trusting you carefully noted the date/time stamp before removing it, as
> that's an important bit of for
On Jun 27, 2012, at 12:06 AM, Matthew Black wrote:
> We found the aberrant .htaccess file and have removed it. What a mess!
Trusting you carefully noted the date/time stamp before removing it, as that's
an important bit of forensics.
Aloha,
Michael.
--
"Please have your Internet License
: Tuesday, June 26, 2012 11:02 PM
> > To: Matthew Black; nanog@nanog.org
> > Cc: Jeremy Hanmer
> > Subject: Re: DNS poisoning at Google?
> >
> > It also redirects with facebook, youtube, and ebay but NOT amazon.
> >
> > -Grant
> >
> > On
Ahh, but how did it get there in the first place. Matthew, meet can of worms. I
presume you have an opener.
--
ian
-Original Message-
From: Matthew Black
Sent: 27/06/2012, 08:07
To: Grant Ridder; nanog@nanog.org
Cc: Jeremy Hanmer
Subject: RE: DNS poisoning at Google?
We found the
ity, long beach
>
> From: Grant Ridder [mailto:shortdudey...@gmail.com]
> Sent: Tuesday, June 26, 2012 11:02 PM
> To: Matthew Black; nanog@nanog.org
> Cc: Jeremy Hanmer
> Subject: Re: DNS poisoning at Google?
>
> It also redirects with facebook, youtube, and ebay but NOT
Hanmer
Subject: Re: DNS poisoning at Google?
It also redirects with facebook, youtube, and ebay but NOT amazon.
-Grant
On Wed, Jun 27, 2012 at 12:57 AM, Matthew Black
mailto:matthew.bl...@csulb.edu>> wrote:
Our web lead was able to run curl. Thanks.
matthew black
information technology se
tate university, long beach
>
> ** **
>
> *From:* Grant Ridder [mailto:shortdudey...@gmail.com]
> *Sent:* Tuesday, June 26, 2012 10:53 PM
> *To:* Matthew Black
> *Cc:* Landon Stewart; nanog@nanog.org; Jeremy Hanmer
>
> *Subject:* Re: DNS poisoning at Google?
>
&g
ck
> > information technology services
> > california state university, long beach
> >
> >
> >
> >
> >
> > -Original Message-
> > From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
> > Sent: Tuesday, June 26, 2012 9:58 PM
> > To: Matt
ouring for that hidden redirect to couchtarts.
>
> matthew black
> information technology services
> california state university, long beach
>
>
>
> From: Landon Stewart [mailto:lstew...@superb.net]
> Sent: Tuesday, June 26, 2012 10:37 PM
> To: Matthew Black
> Cc: Je
atthew Black
Cc: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check your
content (even that stored in a database) for anything that might be altering
data based on referrer. This simpl
matthew black
> information technology services
> california state university, long beach
>
>
>
>
>
> -Original Message-
> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
> Cc: nanog@nanog.o
: Matthew Black
Subject: Re: DNS poisoning at Google?
In article
you
write:
>I'm not familiar with curl and don't understand what I type and what
>are results. Are you suggesting that when google refers to our website, we
>pick that up and redirect to couchtarts?
curl i
alifornia state university, long beac
>
> -Original Message-
> From: christopher.mor...@gmail.com [mailto:christopher.mor...@gmail.com] On
> Behalf Of Christopher Morrow
> Sent: Tuesday, June 26, 2012 10:17 PM
> To: Ishmael Rufus
> Cc: Matthew Black; nanog@nanog.org; Jeremy
In article
you
write:
>I'm not familiar with curl and don't understand what I type and what are
>results. Are you suggesting that when
>google refers to our website, we pick that up and redirect to couchtarts?
curl is a command line www client that's worth knowing about.
And I observe the sam
2 10:17 PM
To: Ishmael Rufus
Cc: Matthew Black; nanog@nanog.org; Jeremy Hanmer
Subject: Re: DNS poisoning at Google?
for example, from the commandline with telnet:
morrowc@teensy:~$ telnet www.csulb.edu 80 Trying 134.139.1.60...
Connected to gaggle.its.csulb.edu.
Escape character is '^]'.
--Original Message-
>> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
>> Sent: Wednesday, June 27, 2012 1:03 AM
>> To: Michael J Wise
>> Cc: nanog@nanog.org
>> Subject: RE: DNS poisoning at Google?
>>
>> Q:have you consulted the logs?
>>
>>
Original Message-----
> From: Jeremy Hanmer [mailto:jer...@hq.newdream.net]
> Sent: Tuesday, June 26, 2012 9:59 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> It's not DNS. If you're sure there's no htaccess files in
redirect to the offending couchtarts.
>>
>> matthew black
>> information technology services
>> california state university, long beach
>>
>>
>>
>>
>>
>> -Original Message-
>> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.c
>
>
>
>
>
> -Original Message-
> From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
> Sent: Tuesday, June 26, 2012 9:58 PM
> To: Matthew Black
> Cc: nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> It's not DNS. If you're sure there
itor comes in from a
google search.
> -Original Message-
> From: Matthew Black [mailto:matthew.bl...@csulb.edu]
> Sent: Wednesday, June 27, 2012 1:03 AM
> To: Michael J Wise
> Cc: nanog@nanog.org
> Subject: RE: DNS poisoning at Google?
>
> Q:have you consulte
--Original Message-
From: Jeremy Hanmer [mailto:jer...@hq.newdream.net]
Sent: Tuesday, June 26, 2012 9:59 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check your
content (even that
On 06/26/2012 11:05 PM, Matthew Black wrote:
Google Webtools reports a problem with our HOMEPAGE "/". That page is not
redirecting anywhere.
They also report problems with some 48 other primary sites, none of which
redirect to the offending couchtarts.
Except it is redirecting as shown by Jer
long beach
-Original Message-
From: Jeremy Hanmer [mailto:jeremy.han...@dreamhost.com]
Sent: Tuesday, June 26, 2012 9:58 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
It's not DNS. If you're sure there's no htaccess files in place, check
.
matthew black
information technology services
california state university, long beach
-Original Message-
From: Michael J Wise [mailto:mjw...@kapu.net]
Sent: Tuesday, June 26, 2012 9:56 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
On Jun 26, 2012, at 9
]
> Sent: Tuesday, June 26, 2012 9:34 PM
> To: Matthew Black
> Cc: David Hubbard; nanog@nanog.org
> Subject: Re: DNS poisoning at Google?
>
> Have you tried using Google Webmaster tools?
> On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black
> mailto:matthew.bl...@csulb.edu>&
On Jun 26, 2012, at 9:35 PM, Matthew Black wrote:
> Yes, we’ve used the Google Webmaster Tools a lot today. Submitted multiple
> requests and they keep insisting that our site issues a redirect. Unable to
> duplicate the problem here.
… have you consulted the logs?
If the redirect is there, it
[mailto:sakam...@gmail.com]
Sent: Tuesday, June 26, 2012 9:34 PM
To: Matthew Black
Cc: David Hubbard; nanog@nanog.org
Subject: Re: DNS poisoning at Google?
Have you tried using Google Webmaster tools?
On Tue, Jun 26, 2012 at 11:28 PM, Matthew Black
mailto:matthew.bl...@csulb.edu>> wrote:
Running Apa
; matthew black
> information technology services
> california state university, long beach
>
>
> -Original Message-
> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org
> Subject: RE: DNS poisoni
echnology services
> california state university, long beach
>
>
> -Original Message-
> From: David Hubbard [mailto:dhubb...@dino.hostasaurus.com]
> Sent: Tuesday, June 26, 2012 9:14 PM
> To: nanog@nanog.org
> Subject: RE: DNS poisoning at Google?
>
> Typically if
...@dino.hostasaurus.com]
Sent: Tuesday, June 26, 2012 9:14 PM
To: nanog@nanog.org
Subject: RE: DNS poisoning at Google?
Typically if google were pulling your site sometimes from the wrong IP, their
safe browsing page should indicate it being on another AS number in addition to
the correct one 2152:
http
Stewart [mailto:lstew...@superb.net]
Sent: Tuesday, June 26, 2012 9:07 PM
To: Matthew Black
Cc: nanog@nanog.org
Subject: Re: DNS poisoning at Google?
Is it possible that some malicious software is listening and injecting a
redirect on the wire? We've seen this before with a Windows machine
On Jun 26, 2012, at 10:53 PM, Matthew Black wrote:
> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users to
> another compromised website couchtarts.com.
>
> We have thoroughly examined our root .hta
DNS seems to check out from here. Tested against Google DNS, OpenDNS
and Linode's DNS servers.
According to Google:
"Malicious software is hosted on 1 domain(s), including couchtarts.com/."
Normally, I would say this happens due to malicious ads loaded but
this does not seem to be a site that wil
Typically if google were pulling your site sometimes from the
wrong IP, their safe browsing page should indicate it being
on another AS number in addition to the correct one 2152:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http
://www.csulb.edu
For example, the couchtarts
On Jun 26, 2012, at 9:07 PM, Ishmael Rufus wrote:
> I'm glad I'm not the only one that miss this one:
>
> http://www.csulb.edu
>
> It is in his signature and email address as well ;)
The queries do seem to be taking a number of seconds, though, as opposed to
being nearly instant when I refere
I am also getting the same issue when accessing his website.
On Tue, Jun 26, 2012 at 11:07 PM, Landon Stewart wrote:
> Is it possible that some malicious software is listening and injecting a
> redirect on the wire? We've seen this before with a Windows machine being
> infected.
>
> On 26 June 2
I'm glad I'm not the only one that miss this one:
http://www.csulb.edu
It is in his signature and email address as well ;)
On Tue, Jun 26, 2012 at 11:04 PM, Sadiq Saif wrote:
> Accidentally sent that to Matthew only,
>
> mind sharing the domain name?
>
> On Tue, Jun 26, 2012 at 11:53 PM, Mat
Is it possible that some malicious software is listening and injecting a
redirect on the wire? We've seen this before with a Windows machine being
infected.
On 26 June 2012 20:53, Matthew Black wrote:
> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim
Accidentally sent that to Matthew only,
mind sharing the domain name?
On Tue, Jun 26, 2012 at 11:53 PM, Matthew Black wrote:
> Google Safe Browsing and Firefox have marked our website as containing
> malware. They claim our home page returns no results, but redirects users to
> another comprom
42 matches
Mail list logo