2

According to my CloudFlare firewall logs, somebody went through each of my subdomains. My website is not advertised, it doesn't even show on Google unless typing the exact domain name into it. I think I know where they found it listed, though.

Fortunately, the connections were refused by CloudFlare due to the client using Tor, I had already blocked it. It would appear that they gave up at this point as no further log entries appeared. They were apparently using Curl, according to the user agent supplied in the logs.

The person went through each of my valid subdomains, starting with the database. Excluding cPanel, Webmail and my FTP; I assume the reason for this is because they knew full well that the login for those services would be secure. So they were looking for an insecure vector.

I have since taken measures to stealth the restricted services, including the default ones provided by the web host.

Can somebody please explain to me how exactly this unscrupulous fella found my CNAMES? And does it thus qualify that he also knows the A Records?

Thanks!

Mere Mortal
  • 29
  • 1
  • 5
    Since when is sending a request to a public-facing server evidence of being "unscrupulous"? – ManfP May 27 '20 at 18:43
  • Point taken. But he started with the database and was using Tor; that's my idea of nefarious intentions. – Mere Mortal May 27 '20 at 18:44
  • 1
    If you have matching PTR records, reversing onto the CNAME and A records is straightforward. No idea if this applies to you or not. – gowenfawr May 27 '20 at 18:51
  • I have no PTR records at all. – Mere Mortal May 27 '20 at 19:02
  • What concerns me here is that ever since I advertised my website on a particular service a few days ago, literally the only single place I've done so, I've been steadily taking hits for WordPress files (not that I even have WP). Until that point, I was getting no traffic at all so I'm more than suspicious about this. – Mere Mortal May 27 '20 at 19:04
  • 2
    the bots will come... some are nice bots crawling your site so they can index. For others they are usually just trying to automate creating accounts and posting spam. – pcalkins May 27 '20 at 19:31
  • Occam's razor, your DNS server allows zone transfers or there's a misconfiguration with your DNS service provider. – user2320464 May 27 '20 at 20:10
  • I know they'll come, that's why I'm being proactive. Finding administrative subdomains is bothersome, but I've locked them down anyway. – Mere Mortal May 27 '20 at 21:00

1 Answers1

5

Can somebody please explain to me how exactly this unscrupulous fella found my CNAMES?

No one can know, after the fact, how an UNKNOWN entity managed to get your UNKNOWN content.

There are a lot of ways to find out names in a zone, there are even tools for this.

This could be a good introduction on the subject: https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6

In summary it lists the following:

  • using search engines (the site: operator)
  • passive DNS services (that record huge volume of DNS queries, including possibly yours, hence "divulging" to others the name you have resolved yourself); some ISPs are also sharing DNS queries data (which is one of the strong motivation for people advocating to use DoH)
  • Certificate Transparency Logs
  • dictionary based enumeration, and other similar string manipulations
  • DNS zone transfers
  • DNSSEC walking (trivial with NSEC, possible but far more complicated with NSEC3)
  • various useful "side" information: DNS TXT records for SPF, DNS SRV records, various HTTP headers, etc.

You can certainly add others, like: domains are listed in the parent zonefile, which at least for all gTLDs, is free to get; once you have a domain name you can apply the previous points.

A tool that implements various ways: https://github.com/OWASP/Amass

This other article also lists some tools: https://geekflare.com/find-subdomains/

People also often forget how "chatty" by default their OS is, specially on smartphones. And what various browsers plugin can do and record...

In the same way, it is known for example that any link exchanged in Skype will get immediately scanned by some robot (in theory to identify if the link is risky or not). Which means that suddenly a third party will access your site (and hence know a website name) where you imagined no one else knew about it.

Patrick Mevzek
  • 1,748
  • 2
  • 10
  • 23