What's been breached?

Hi there,
this afternoon I’ve received a notification from the Google Search Console that one of my websites got a new owner for the http://ftp.mysitename.com property. Three times in a row, with three different owners (their emails was visible). I’ve entered the URL in a browser and found some weird softcore anime stuff selling I hadn’t the time to check what. My site is just a static landing page linked to GitHub Pages, and I don’t recall having set any ftp subdomain.

Cloudflare dashboard listed that record, unproxied. I did remove it, and changed my passwords (both Cloudflare’s and Google’s). No trace of either of the attacker’s emails in the Search Console as owners, at least I haven’t been able to find them. Do you think both accounts were compromised?
I had 2FA on Google, not on Cloudflare (now set), I wonder how the heck it’s been possible. I reckon that without the Search console email, I wouldn’t have noticed, though.
I still don’t understand where those files resided—it didn’t seem a redirect; and why, of all the things a malicious actor could do, they added a subdomain and put anime on it? Leaving their email thrice in due course?

I’d like to understand better (lesson learned: 2FA everywhere), although at this point is just a curiosity, I guess—I haven’t had the time to take screenshots, I’m afraid.

Thanks!

Davide

What is the domain?

I haven’t got the time to screenshot what was there, I’m afraid (if you mean in the DNS Records). I also looked for some sort of activity log for my user, but wasn’t able to find one—I’m on the free plan, BTW

I mean, what is the domain name?

Here…
https://dash.cloudflare.com/?to=/:account/audit-log

Oh sorry, it’s htmlpanelsbook.com.
I’ve checked the audit logs (thanks for the link!) and with me as a user, there’s only the Record’s deletion —all the rest is Cloudflare’s

ftp.htmlpanelsbook.com no longer resolves, so you did remove it.
https://cf.sjr.org.uk/tools/check?c284e0e56ecf4befaef24b4c6c0dcf9f#dns-other

Google does show one reference to it…

Cloudflare does import subdomains that resolve when you set up the zone in Cloudflare so many people do have an ftp subdomain without realising it. Their host probably created one before that was then imported. But yours was unproxied whereas the import defaults to proxied so there is a chance someone got in and set one up. It’s also possible you unproxied it at some point, and it points at an IP address you used, or used to use, at your host or a previous host that’s now used by someone else.

So either a compromise or an unfortunate hanging record is hard to tell from the outside. To be safe, I would ensure the DNS is tidy (only using records you actually use), then change any passwords, set up 2FA and rotate your global API key (check for API tokens).

Follow the advice here…

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.