0

Yesterday I registered a .cf domain, I needed it for about 10 minutes. About 5 minutes after domain registration I got over 100 scanner requests (I checked all requests, all are automated scanner requests like ZmEu etc.) in under 10 seconds.

  1. Considering the amount in such a short period and so soon after registration, am I being targeted, or is this everyday business for a .cf domain?
  2. All requests are exclusively over port 80. I had a few more ports (443,...) open. I am not sure how to interpret this
  3. All my things are written in c/c++ (sockets, openssl,...). Is there an up-to-date list or something about common attacks targeting specifically c/c++ servers and how to prevent them?

I host the things on my own, on a few servers. Further, the services are always the same (same ports), same static IP, but only for a short period always linked to a different domain. And it was the first time I used a .cf domain. Now I am simply afraid to repeat the process because if I am being targeted, I should check everything twice first.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    Scanning is done against an IP address which might or might not be connected to one or even multiple domains. What makes you think that this scanning occurred because you've registered the domain? – Steffen Ullrich Jul 22 '18 at 09:02
  • 1
    *"All my things are written in c/c++ (sockets, openssl,...),..."* - there is no generic vulnerability in this area. Though applications written in these languages are more likely to be vulnerable against buffer overflows, double free etc. – Steffen Ullrich Jul 22 '18 at 09:13
  • Thank you both, for the comment and the answer I hope SyCode is reading this too. I guess my question was not clear enough, so I am hosting everything my own! Thats also the reason why i was thinking it is maybe connected to the domain registration, because i linked ofc my ip. –  Jul 22 '18 at 09:15
  • @Steffen Ullrich I followed Openssl's doc, they also mentioned your two things. Is it kinda "enough" to consider only the vulnerabilities they mentioned? –  Jul 22 '18 at 09:21
  • It is not enough. There are many different kind of vulnerabilities that can happen. Given that your application seems to be web based you should not only care about issues due to low level memory managment but also have a closer look at [OWASP top 10](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf) which care about issues specific to web applications. As for the scanning: this is part of the usual "noise" on the internet and you have to deal with it. – Steffen Ullrich Jul 22 '18 at 09:35
  • Great pdf i'll check it! Seems like you have given me the answer already via these comments. Do you maybe also know if these scans are all via port 80 ? E.g. 443,587,... I did not notice any. –  Jul 22 '18 at 09:51
  • Basic scanning for web security problems is usually done at port 80 since this is the default port for http. On 443 you'll probably find more scans in the future if sites start to use port 80 only to redirect to https (port 443). Port 587 is not web at all but used for mail submission and usually requires also authentication, so scanning will not help much. Port 25 is instead often probed to find out if the system is configured as an open mail relay, i.e. can be used to deliver spam to others. And port 22 is also probed to brute force SSH accounts. – Steffen Ullrich Jul 22 '18 at 14:41
  • Did you get a SSL certificate for the domain? Those are usually logged in a publicly accessible manner and can used as a source of domains to scan by various actors. – Brian Dec 08 '20 at 21:33

2 Answers2

3

This is just the background noise of the internet. Having a publicly routable IP address is all it takes to get scanned. There are countless systems constantly probing the entire internet, some for nefarious purposes (probing for or exploiting known vulnerabilities), others for research purposes or just gathering what's out there (see shodan.io / censys.io; basically search engines for exposed network services).

Most malicious bots aren't very tailored and will just blindly spray their payloads across the internet, hoping to hit enough systems such that a small number will be successfully exploited. You will often see requests related to popular applications (e.g. WordPress, Drupal etc.) regardless of whether you actually run said software. These scans aren't cause for concern unless you run vulnerable versions of the targeted software.

As far as the C/C++ application goes, you need to watch out for memory corruption vulnerabilities as well as OWASP Top 10 if this is a website. Generally, such automated scans are not intended to find issues in a custom application like yours, but you should prevent such issues nonetheless.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
1

A few things, those scans might either be from your hosting company or third parties (e.g hackers). You might getter closer to the answer by clarifying if your hosting company offers some kind of automated security assessment. You probably agreed to such a service. Otherwise, your site is being probed for exploitable weaknesses by some hackers.

SyCode
  • 200
  • 8