1

Today I accidentally miss-typed a popular's website domain, which led me to a malicious website. I realized immediately but before I had time to close the tab, I was surprised to be presented with the web app that I am running locally on apache. The webpage was identical to my webapp but all links were pointing to the malicious website.

I do not understand how this can happen. Here is some relevant info:

OS: 

Ubuntu 16.04 LTS

Apache version:

Server version: Apache/2.4.18 (Ubuntu)
Server built:   2019-09-16T13:13:53

The web app is a PHP7.0 Symphony web application.

Netstat:

u@u:~$ sudo netstat -apn | grep apache
tcp6       0      0 :::80                   :::*                    LISTEN      9711/apache2

If I am understanding the netstat output correctly, apache is bound and listening to all ipv6 interfaces (I am not sure why IPv4 is missing?)

However I am behind a router which should block incoming connections (I have checked in my router that there are no port forwardings/open ports). I also tried accessing my public IP from a different network and getting connection refused (as expected).

I am very confused (and alarmed) by this. Anybody has some idea how this could happen?

I am happy to provide more info/clarification. I imagine it is not allowed so I will not post the link to the malicious site, although some security professionals might be interested in checking it out?

pppfff604
  • 21
  • 3

1 Answers1

2

I was surprised to be presented with the web app that I am running locally on apache.

Likely the name of the domain you've typed resolved to 127.0.0.1, i.e. localhost, and thus access to the domain resulted in access to your webserver on localhost. Since you likely use relative URL's in your local site (i.e. only path but no domain given) all links now pointed to the new domain.

See also Why does localbattle.net point to localhost? and Weird DNS queries to messager.xicp.net for similar questions.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks, it was as simple as that. I actually checked with dig and it in fact resolves to 127.0.0.1. Any idea what a malicious site would gain from this? – pppfff604 Dec 18 '19 at 18:53
  • @pppfff604: According to your question it was just showing your local website since it pointed to 127.0.0.1 - which by itself is not malicious. So where does your claim that the site is malicious comes from? – Steffen Ullrich Dec 18 '19 at 18:58
  • @pppfff604 There's nothing malicious going on. It's common for a DNS entry to point to localhost for the purpose of doing exactly what you're doing. That is, you have a development instance on your local machine. – Steve Sether Dec 18 '19 at 19:16