Hackers managed to create subdomains and install Shopify on them, but records of these subs don't exist in CF. How?

I’m completely stumped trying to figure out how hackers (or bots) managed to create subdomains off my primary, validating them via Google Search Console meta tags, and then install Shopify instances on them without a single trace of these fraudulent subs in Cloudflare.

I got a message saying:

New owner for http://bshackercasinoasfasd.mydomain.com/
Google has identified that [email protected] has been added as an owner of http://bshackercasinoasfasd.mydomain.com/.

Now I’ve received this a year ago but it was on an old WP website I never decommissioned so I removed the metatag and I was set. But I can’t remove these because I don’t have access to the servers. This is such a bizarre instance that Google won’t even let me submit a ticket about it and EVERYONE I’ve asked about it just endlessly repeats “remove the metatag”.

I’ve recently trimmed a few old accounts off my Google Analytics / Search Console rosters but I still don’t see how they could’ve created the subdomain without DNS access.

FWIW, I didn’t have 2FA on, so I’ve since activated it BUT still, there’s no records of these subs in my DNS list. Any ideas?

Probably a straightforward subdomain takeover: https://www.hackerone.com/application-security/guide-subdomain-takeovers

2 Likes

Can you share your domain name and a screenshot of your Cloudflare DNS Dashboard, as well as the actual subdomains that have been taken over?

1 Like

My understanding was that subdomain takeovers were still limited to preexisting domains?

That screenshot looks like your account has been compromised. Have you reviewed your audit log?

2 Likes

F*ck.

It was. Thank you, so much. It looks like they would add and then immediately delete them after verifying. Took all necessary precautions to secure, question now is how to remove these subdomains from the web?

Also, it seems they only used the first one or two sites to manually configure DNS in CF, for the others I believe or it seems as if they were using Shopify’s automatic DNS configuration to set up them up as I don’t see the remaining domains but many instances of this…

I have a wildcard A record that points to a generic IP used by not only my Shopify site but the hackers. I presume this is how they were remaining operational without leaving a trace in my dashboard?

Assuming I’m correct, after creating proper CNAME records for any legit subdomains I may be using, are there any other downstream implications I should be aware of if I were to delete it - or is there an easier way to handle this altogether?

Deleting the wildcard did the trick. Thanks for pointing me in the right direction, Epic.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.