6

I run a website at https://fastslots.co. I just discovered that I am getting requests from the URL https://canadaehtees.com/ that I have no affiliation with. When I load canadaehtees.com in my browser I get a warning about an invalid SSL certificate. If I proceed anyway, the site that is displayed looks and behaves exactly like fastslots.co and all requests made there go to my server. However, the URL stays at canadaehtees.com.

My site is written in Node.js, and I am not using a proxy. I am redirecting all requests that use HTTP or that start with www to my site using HTTPS.

I am not sure what the best thing to do is. Obviously I can just return an error page if I get a request where the URL does not match fastslots.co. Still I am worried about what is going on here. Does anyone know?

[Edit: I am now redirecting all requests to fastslots.co that have an unknown host (such as canadaehtees.com for example). Is this not a good idea?]

Peter Mortensen
  • 877
  • 5
  • 10
Henry
  • 63
  • 1
  • 6

3 Answers3

24

I've taken a quick look, and this appears to be completely benign, if somewhat annoying. It's not an attack as Michael suggested in his answer.

What has happened is that someone purchased a domain (canadaehtees.com) and pointed the DNS records for that domain at the IP address that currently hosts your website (fastslots.co). Why? It could be a simple mistake, or it could be that they were in possession of that IP address before you were, given that their domain name is slightly older than yours.

This is why the site at that domain looks exactly like yours (it is yours!) and you get the invalid certificate error over https (because the certificate is also yours, and so isn't for canadaehtees.com, but for fastslots.co.)

What can you do about? Well, redirecting as you've currently configured is one option. I would suggest that you change the redirect from a 302 (temporary) to a 301 (permanent) if this is the solution you want to use long term.

Other status codes you could return for unknown hosts would be 404 (not found) or 410 (gone).

The more drastic solution, but the one that should permanently fix the issue without any further work on your part would be move your site to another IP.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • Thanks Xander, that's a bit of a relief. It's hard for me the judge which of the answers to select as the correct one, so I will wait a bit to see if there are other comments. – Henry Oct 24 '14 at 18:41
  • 1
    Currently the domains are resolving to different IPs. I get `104.28.31.27` and `104.28.30.27` for `fastslots.co` and `190.10.8.237` for `canadaehtees.com`. – kasperd Oct 24 '14 at 18:58
  • 1
    @kasperd I investigated that as well. The 104.* IPs are CloudFlare. (As is the SSL cert when you visit via those IPs.) They are not the IPs where the site actually lives, however. That is the 190.* IP. – Xander Oct 24 '14 at 19:00
  • Changing IPs isn't necessarily a permanent fix, because the owner of `canadaehtees.com` could just update that domain's DNS records to match. – David Z Oct 25 '14 at 03:34
  • 1
    @DavidZ Yes, that is true, but as the saying goes, never attribute to malice that which can be explained by incompetence. It's far more likely that this is the result of a mistake or neglect. There's nothing to be gained by the owner of the other domain to update it to point at a new IP should the OP change. – Xander Oct 25 '14 at 03:45
  • Thanks to everyone who looked at this. I think the vote is clear that this should be the right answer. Nonetheless, thanks to Michael for pointing out how we can improve our csrf protection. – Henry Oct 25 '14 at 17:23
6

This looks a lot like a cross-site request forgery website, trying to lure visitors in executing requests to your site without them knowing they are actually sending requests to your domain.

Imagine for example that 'https://canadaehtees.com' has a button on his site 'place free bet'. In case a visitor clicks that button (or automatically triggers the click event unknowingly through javascript), a request is made to your site where a large bet is placed in the visitor's name (because the authentication cookie is sent along, fastslots.co thinks the user is authenticated and accepts the bet).

More information: OWASP CSRF

To protect yourself, you can either block all requests coming from 'https://canadaehtees.com', or implement another CSRF protection such as the synchronizer token pattern. Please consult the OWASP prevention cheat sheet for more information regarding that.

Michael
  • 5,393
  • 2
  • 32
  • 57
  • Thanks for the quick answer Michael. I will look into csrf prevention as you suggested. – Henry Oct 24 '14 at 14:07
  • 2
    This does not appear to be what's happening at all. I don't know if you actually went and looked at the sites in question, but the unknown site doesn't appear to be a site at all. It appears to be a domain that points back to the fastslots.co site. – Xander Oct 24 '14 at 17:20
  • Regardless, fastslots.co absolutely needs to have CSRF protection, to prevent against these types of attacks. Running a site *deals with money* and has no CSRF protection in 2014 is quite simply irresponsible. – Stephen Touset Oct 24 '14 at 21:07
  • @StephenTouset Yes, absolutely, 100% agreed. It's just not germane to the question at all. – Xander Oct 25 '14 at 00:13
  • 1
    It seems Xander is right, I did not have time to look into it in detail. Anyway please implement csrf protection, then ill consider using it;). – Michael Oct 25 '14 at 07:19
  • Awesome, Michael, would be great to see you around. We have implemented a redirect for all requests with the wrong host. We are now working on implementing the synchronizer token pattern to protect against csrf. – Henry Oct 25 '14 at 17:27
0

Based on my analysis, canadaehtees.com returns an HTTP 302 with fastslots.co being the destination.

This has nothing to with DNS per the following nslookup results.

 190.10.8.237 - canadaehtees.com
 104.28.{30,31}.27 - fastslots.co

This also has nothing to do with CSRF or anything else.

Consider it flattery that someone has purchased a separate domain just to redirect traffic to your website.

anon
  • 34
  • 2
  • This is wrong. If you had looked at the domain history, you would have seen that canadaehtees was purchased before fastslots. – Xander Oct 26 '14 at 00:17
  • As for the IP addresses, this has already been covered repeatedly in the comments. – Xander Oct 26 '14 at 00:47