Hey, it's me!

I'd added a new hostname to a long-existing domain. Then I added that hostname as a new virtual host to a Caddy server I've been running for a long time. The requests were to that vhost, i.e. using the `Host: my-new-host.example.com` header, not just running `curl http://1.2.3.4`. They were asking for the brand-new host by name.

After hashing it out with some friends on Mastodon, I think it's most likely because Caddy acquired a Let's Encrypt cert, those certs are logged[0], and attackers pounce on new hosts as soon as they're in the logs.

[0]https://letsencrypt.org/docs/ct-logs/

I was working on bug bounty work a few years ago for a large company with lots of subdomains in different parts of the world. I found .git/config on a server and I was able to partially reconstruct the entire git repository.

This led me to paths that I wouldn't otherwise be able to find and a complete server takeover through remote code execution. One of their developers left test code for a website template and an unrestricted file upload form.

What is missing in our society to actually deal with this? I see stories like this and get the impression that it is a forgone conclusion that it is OK for this to be normal. I realize the author isn't saying that, and I appreciate their warning and think it is great they posted this, but where is the call to action to deal with this? And I don't mean we should all just get stronger safeguards. The people doing this type of thing are causing harm on a large scale so how do we get society to recognize and start really caring about this to the point that it wouldn't be a joke to call some law enforcement agency to tell them you are being hacked?

These days certificate transparency logs seems to be a trigger to immediately get slammed with a ton of scanners. Some “legit” commercial (eg paloaltonetworks) some russian/chinese

I created a new hostname in DNS

If you’re relying on obscurity

Presumably the former caused your new hostname to be published for all of the Internet to see? That doesn't sound like obscurity to me.

I've had a service running on a high port for many years at the same IP. I've seen it get the occasional "knock" from some scanner or bot, but it has been generally quiet. It probably also depends on your IP, as some parts of the Internet are likely scanned far more frequently and aggressively than others.

Put a personal VPS (no domain) online today. Took like 10 seconds for the first ssh login attempts to start. It's toxic out there. I put everything behind wireguard these days.

Yes that's my experience too just a few seconds anytime I create a certificate with letsencrypt

One of these days I’ll setup a honeypot and use a reverse shell technique to backdoor the attacker.

But wouldn't obscurity beat these attacks. I mean aren't they crafted only to explore common weaknesses and not esoteric weird unique set ups?

Port knocking may be a first line defense here with a port scan attack detector to ban IPs that try to find such ports. See Linux knockd and psad for references. This obscurity doesn’t protect again man-in-the-middle but at least protects from unwanted and opportunistic guests. It also gives more time to indirectly protect from 0-day on sshd (aka the fiasco that could have been the xz incident).

I've also had my hosting provider run those checks to proactively warn me about vulnerabilities.

I've used https://crt.sh to check my own logged SSL certs before, though it looks like they're seeing issues right now.

I always wondered who is behind these attacks, they don't seem targeted since they do them on random ips.

I did a bunch of Devops a few years ago on a Startup, and whenever i started a new AWS EC2 instance, i started getting request for Wordpress files, and other common CMS files.

How many of these accesses were from source IPs owned by Tencent?

(this is not a prejudice; >80% of auto-bans my servers are issuing are for Tencent IPs. I should grab some exact numbers at some point.)

exact same experience. i happened to look at my logs and was terrified for a minute.

sometimes i wonder why the internet wound up this way.

was there some alternative development path or is this inherent in the physical network design?

Imagine falling for that lol

> having an all purpose 1000kloc http server. > serving your source code root > not using any permissions system

Having a webserver listening on ipv4 may get something like that sooner or later. All the tine you get vulnerability scanning by different actors and goals, be aware of that or not.

With hostnames is just another layer, that may have more requirements, but the motivations are similar.

Some of these I get and are obvious. Some look like some kind of exploit maybe?

And then there’s .DS_Store.

What’s the point of that? In case you find a Mac to launch more targeted attacks against known bugs? To know if the developer is in a Mac and just copied files without filtering out dot files?