• by kstrauser on 5/17/2024, 2:12:03 AM

    Hey, it's me!

    I'd added a new hostname to a long-existing domain. Then I added that hostname as a new virtual host to a Caddy server I've been running for a long time. The requests were to that vhost, i.e. using the `Host: my-new-host.example.com` header, not just running `curl http://1.2.3.4`. They were asking for the brand-new host by name.

    After hashing it out with some friends on Mastodon, I think it's most likely because Caddy acquired a Let's Encrypt cert, those certs are logged[0], and attackers pounce on new hosts as soon as they're in the logs.

    [0]https://letsencrypt.org/docs/ct-logs/

  • by billy99k on 5/17/2024, 3:28:59 AM

    I was working on bug bounty work a few years ago for a large company with lots of subdomains in different parts of the world. I found .git/config on a server and I was able to partially reconstruct the entire git repository.

    This led me to paths that I wouldn't otherwise be able to find and a complete server takeover through remote code execution. One of their developers left test code for a website template and an unrestricted file upload form.

  • by jmward01 on 5/17/2024, 2:53:50 AM

    What is missing in our society to actually deal with this? I see stories like this and get the impression that it is a forgone conclusion that it is OK for this to be normal. I realize the author isn't saying that, and I appreciate their warning and think it is great they posted this, but where is the call to action to deal with this? And I don't mean we should all just get stronger safeguards. The people doing this type of thing are causing harm on a large scale so how do we get society to recognize and start really caring about this to the point that it wouldn't be a joke to call some law enforcement agency to tell them you are being hacked?

  • by dilyevsky on 5/17/2024, 2:56:00 AM

    These days certificate transparency logs seems to be a trigger to immediately get slammed with a ton of scanners. Some “legit” commercial (eg paloaltonetworks) some russian/chinese

  • by userbinator on 5/17/2024, 2:49:09 AM

    I created a new hostname in DNS

    If you’re relying on obscurity

    Presumably the former caused your new hostname to be published for all of the Internet to see? That doesn't sound like obscurity to me.

    I've had a service running on a high port for many years at the same IP. I've seen it get the occasional "knock" from some scanner or bot, but it has been generally quiet. It probably also depends on your IP, as some parts of the Internet are likely scanned far more frequently and aggressively than others.

  • by RGamma on 5/17/2024, 1:20:01 AM

    Put a personal VPS (no domain) online today. Took like 10 seconds for the first ssh login attempts to start. It's toxic out there. I put everything behind wireguard these days.

  • by ta988 on 5/17/2024, 2:52:04 AM

    Yes that's my experience too just a few seconds anytime I create a certificate with letsencrypt

  • by xyst on 5/17/2024, 2:39:41 AM

    One of these days I’ll setup a honeypot and use a reverse shell technique to backdoor the attacker.

  • by darepublic on 5/17/2024, 3:22:27 AM

    But wouldn't obscurity beat these attacks. I mean aren't they crafted only to explore common weaknesses and not esoteric weird unique set ups?

  • by mchenier on 5/17/2024, 4:38:27 AM

    Port knocking may be a first line defense here with a port scan attack detector to ban IPs that try to find such ports. See Linux knockd and psad for references. This obscurity doesn’t protect again man-in-the-middle but at least protects from unwanted and opportunistic guests. It also gives more time to indirectly protect from 0-day on sshd (aka the fiasco that could have been the xz incident).

  • by robertclaus on 5/17/2024, 2:55:52 AM

    I've also had my hosting provider run those checks to proactively warn me about vulnerabilities.

  • by pronoiac on 5/17/2024, 4:58:39 AM

    I've used https://crt.sh to check my own logged SSL certs before, though it looks like they're seeing issues right now.

  • by abimaelmartell on 5/17/2024, 5:34:39 PM

    I always wondered who is behind these attacks, they don't seem targeted since they do them on random ips.

    I did a bunch of Devops a few years ago on a Startup, and whenever i started a new AWS EC2 instance, i started getting request for Wordpress files, and other common CMS files.

  • by eqvinox on 5/17/2024, 8:35:28 AM

    How many of these accesses were from source IPs owned by Tencent?

    (this is not a prejudice; >80% of auto-bans my servers are issuing are for Tencent IPs. I should grab some exact numbers at some point.)

  • by randall on 5/17/2024, 2:36:27 AM

    exact same experience. i happened to look at my logs and was terrified for a minute.

  • by doubloon on 5/17/2024, 2:45:21 AM

    sometimes i wonder why the internet wound up this way.

    was there some alternative development path or is this inherent in the physical network design?

  • by TZubiri on 5/17/2024, 2:51:08 AM

    Imagine falling for that lol

    > having an all purpose 1000kloc http server. > serving your source code root > not using any permissions system

  • by gmuslera on 5/17/2024, 2:52:47 AM

    Having a webserver listening on ipv4 may get something like that sooner or later. All the tine you get vulnerability scanning by different actors and goals, be aware of that or not.

    With hostnames is just another layer, that may have more requirements, but the motivations are similar.

  • by MBCook on 5/17/2024, 3:28:29 AM

    Some of these I get and are obvious. Some look like some kind of exploit maybe?

    And then there’s .DS_Store.

    What’s the point of that? In case you find a Mac to launch more targeted attacks against known bugs? To know if the developer is in a Mac and just copied files without filtering out dot files?