3

I have a little Wordpress honeypot set up. I have it specifically set up so that when the server's IP address is accessed, the wordpress website shows up, ie. no vhost. I was reading the site's access logs and started noticing wordpress probes with the referer showing a strange website.

77.79.196.146 - - [10/May/2021:21:31:57 +0000] "GET /?author=2 HTTP/1.1" 200 3446 "http://faraday.xxxx.xxxx///?author=2" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

I decided to do a dns lookup of the site:

enter image description here

All of the site's subdomains (except for www which points to a GitHub pages IP) point to my server's IP address. Keep in mind this is a honeypot wordpress site that I haven't shared with anyone. I also have a domain attached to it (dns and rdns records). What is the point of this? This domain wasn't created to target me (or so I think), it was created almost three years ago.

What kind of attack is this and what is the attacker trying to achieve?

x43
  • 103
  • 6
  • 3
    Over time, many hosts can be assigned to the same IP address. Domains are forgotten, abandoned, etc. URLs are cached for years/decades in search indexes, documents links, etc. Unless you can see something that indicates an attack, you do not have an issue to solve. – John Hanley May 11 '21 at 01:31
  • 3
    There are likely no sites pointing to your IP. What you see is only [referrer spam](https://en.wikipedia.org/wiki/Referrer_spam). Does this answer your question? [Fake referer is affecting my google search results](https://security.stackexchange.com/questions/184720/fake-referer-is-affecting-my-google-search-results) – Steffen Ullrich May 11 '21 at 04:18
  • @JohnHanley makes sense, possibly the person using the IP before me stopped paying. Only thing odd is that they have `exit-node-1` as a subdomain and my ISP prohibits Tor nodes (maybe they got banned). – x43 May 11 '21 at 23:53

0 Answers0