27

Our web application is being mimicked by another domain, https://www.djjpl.com.sg. On ping, it gives the same IP address as ours. Every git push to our server reflects on that domain.

We want to stop that domain from mimicking our app. How can we prevent it?

Stevoisiak
  • 1,515
  • 1
  • 11
  • 27
IamGhale
  • 323
  • 3
  • 6
  • 1
    Can you tell me how did you identify this domain is mimicking you? I mean how did you find out. – ChallengeMe Jan 03 '18 at 07:33
  • Is `djjpl.com.sg` your? If no, what's your domain? Could you post both URL (your and the *mimicked* one), please – F. Hauri - Give Up GitHub Jan 03 '18 at 08:40
  • 7
    See [Apache accepting requests to other servers? on Serverfault](https://serverfault.com/a/511419/120438) – Jenny D Jan 03 '18 at 08:57
  • This seems to be oddly common these days, I've seen quite a few cases. Possibly this is done for the "clone" site to easily get Google rank before changing to something else ? – Jonas Czech Jan 03 '18 at 11:03
  • 2
    Have you considered emailing the address in their WHOIS records? – SomeoneSomewhereSupportsMonica Jan 03 '18 at 12:12
  • 1
    @F.Hauri - Based upon the SSL certificate, the legitimate domain is https://www.nrnsewa.com/. – aroth Jan 03 '18 at 13:14
  • @Xander I disagree. The effect might be the same, but the cause (and mitigation) is very different in this case. – Michael Jan 03 '18 at 14:53
  • @Michael No, it is not. Both cause and mitigation appear to be identical. – Xander Jan 03 '18 at 14:59
  • 1
    @Xander Ah. My mistake. The one you linked is correct, but [another question](https://security.stackexchange.com/q/168994/56961) (the one I somehow _thought_ you linked) is incorrectly marked as a dup of the one you did link. – Michael Jan 03 '18 at 15:07
  • 1
    @Michael Ah! Yes, we have quite a few question on the topic in various forms, (including at least one dupe that was migrated to ServerFault) so there are indeed several near-but-not-quite dupes to be had. – Xander Jan 03 '18 at 15:10
  • Tragic that a duplicate made it onto [HNQ](https://stackexchange.com/questions?tab=hot) – NH. Jan 03 '18 at 22:04

3 Answers3

59

Our web application is being mimicked by another domain ...

The domain in question is configured to resolve to the same IP address as yours. That's why it looks like they mimic you when in fact it is simply the same physical server, only accessed by another name.

But when using the URL from your question one gets a security warning in the browser: the certificate is for nrnsewa.com which does not match the name in the URL www.djjpl.com.sg. Since this warning will scare away most visitors I doubt that this is an attack but believe that it is simply a misconfiguration for www.djjpl.com.sg.

How can we prevent it?

You have no control what others configure for their domain. This includes misconfigurations where they accidentally configure the wrong IP address for their site in DNS. This includes also that they don't update their records if they no longer use a domain which means it might point to IP addresses which are used by others in the mean time. Anybody could configure their domain to point to an arbitrary IP address (including yours), both deliberately and by accident.

But what you can do is refuse access to your site or show an error when the domain name in the TLS handshake (i.e. HTTPS-URL's) or the HTTP Host header do not match your site. How this is done depends on the specific server implementation you have. See for example How can I block requests with the wrong Host header set?. And even if you don't care about such misconfigurations, enforcing the correct Host header is still recommended since it prevents some attacks like DNS rebinding.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thank you for your reply. The link you provide is for Nginx. We have apache on our server. How can we achieve same on apache? Thank you once again. – IamGhale Jan 03 '18 at 09:02
  • 7
    @IamGhale: You can have a default VirtualHost section in Apache too, see https://httpd.apache.org/docs/2.4/vhosts/name-based.html#alg. Then you could just return an error for everything you get on this VirtualHost. But for details of server configuration better ask at serverfault.com. – Steffen Ullrich Jan 03 '18 at 11:01
  • Personally I'd return requests for that URI with a 301 and bounce them off to somewhere innocuous, once you've tested that it works properly then you could have some fun like a cat video or [something](https://youtu.be/dQw4w9WgXcQ). :) – James Snell Jan 03 '18 at 21:46
27

Is your site nrnsewa.com? If so, you aren't being mimicked, they just entered the IP address of your server in the DNS entry for their domain name. As a result, https://www.djjpl.com.sg is hitting your web server. Since it's your server, it responds with your content (or web app, or whatever).

But since it's your server, you can also control how it responds. The first option that occurs to me is to create a name-based virtual host on your server under the name www.djjpl.com.sg, and have it:

  • Redidrect to your regular site.
  • Display a warning that the administrators of djjpl.com.sg have messed up their DNS records.
  • Whatever else you want to do.
Gordon Davisson
  • 2,581
  • 1
  • 17
  • 13
5

Has not someone on your team registered your IP address in a FreeDNS name before using the current DNS name for development or getting in remotely? It does not seem foul play.

I would investigate that, and if someone knows the old FreeDNS account,login in there and delete the entry. You might also probably might be able to gain access to the FreeDNS account in question using a file on your site. Talk with their support. Barring that, the entry will eventually expire.

As for your web server, well it is your web server: you can always define virtual host names in your webserver, and either redirect the domain in question to your name, and/or define a virtual host with the legitimate name and open only the site when the proper domain is being used.

Rui F Ribeiro
  • 1,736
  • 8
  • 15