After creating certs for never-before-used domains with certbot, someone is hitting my new domains

Help
1

I ran a command like this:

certbot certonly \
    --non-interactive \
    --expand \
    --email joe@trusktr.io \
    --agree-tos \
    --standalone \
    --domain trusktr.io \
    --domain sk8.earth \
    --domain sk8.or.die.on.sk8.earth \
    ... a bunch more domains I've never used before ...

When the command was successful, I tested a couple domains and they worked.

But the weird thing is my server is now receiving requests for all the other domains I have not manually tested myself, and this started happening after I used the certbot command.

Sounds like I got hacked somehow, unless my server is requesting itself (which would be a bug in an older version of Node.js http-proxy package then). My request handler logs which requests are coming in (and my code is not making requests).

2

When you create a new topic in the Help category the questionnaire contains this tidbit:

Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com)

Your domain for example: crt.sh | %.sk8.earth

3 Likes
3

This is common: Certificate Transparency logs are public, and new certificates are viewed by various Web-scraping robots.

5 Likes
4

Ah ok! So maybe robots trying to scrape what they can. Search engines?

I've been getting some IncomingMessage Node objects without .headers or without .headers.host. Not sure if there's a bug somewhere or someone found a hack.

I just saw someone hit this on the server:

http://www.sk8.earth/.well-known/security.txt

Any ideas why?

EDIT:

Ah, wikipedia says

for those wishing to contact a website's owner about security issues

I should put something there.

5

Or scanners looking for (zero day) exploits. Or looking for software having getting a cert as part of their installation process, but still with some default password set.

4 Likes
6

crawlers will crawl.

2 Likes
7

People often roll their eyes when folks like us say that you shouldn't connect old/unpatched systems to the internet, but the reality of launching any website is two fold:

  • the people you want to see it generally won't, that part is hard.
  • the people you don't want to see it will conduct a regular extensive free "security audit", that part is easy.

They're looking for known exploits for various reasons. They can either make use of your server for further nefarious means or harvest private user data you have stored in databases, or the newest one which is beg-bounties, This where they will find find generic "exploits" and report them to you (complete with extensive reproduction guides, screen captures etc) in an effort to get you to pay a bounty. I fell for that once for something minor, the next day someone reported the exact same issue then I realized they were part of bounty-farm. This would explain why they're checking for your security.txt.

4 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.