Stolen Certificate and Site

Help
1

After running through the classic snaps cert installation without a hitch I found a problem.

My website is www.r0amwild.com

I attempted to test load the site at: https://www.r0amwild.com and was displayed a warning that the connection was not private. The pop-up suggested I should not proceed. I did proceed and I was presented with another website ( [Tulorekisteri ]) sitting at my url r0amwild. This is not my page! Also this website is in a language I don't understand.

How does that happen and what steps (in layman's terms) must I take to fix it.

I want my site back!!

Thank you for helping me figure this out.

Thom

2 Likes
2

I cannot duplicate that. Are you still seeing it? Can you upload a picture? Can you show the URL?

SSL Labs and other tools all say your connection is fine and using your cert from today

https://www.ssllabs.com/ssltest/analyze.html?d=www.r0amwild.com&hideResults=on

4 Likes
3

Hello @Thom0ne,

The presently being served certificate can be viewed here https://decoder.link/sslchecker/www.r0amwild.com/443 and matches this certificate crt.sh | 15759570328

I see this for http://www.r0amwild.com/

image
image1430×827 127 KB

I see this for https://www.r0amwild.com/

image
image1427×853 128 KB

$ curl -Ii https://www.r0amwild.com
HTTP/1.1 200 OK
Date: Sat, 14 Dec 2024 21:45:32 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Sat, 14 Dec 2024 17:28:30 GMT
ETag: "2110-6293e46acf1f0"
Accept-Ranges: bytes
Content-Length: 8464
Vary: Accept-Encoding
Content-Type: text/html

$ curl -vIi https://www.r0amwild.com
*   Trying 195.35.32.76:443...
* Connected to www.r0amwild.com (195.35.32.76) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=r0ammild.com
*  start date: Dec 14 19:57:58 2024 GMT
*  expire date: Mar 14 19:57:57 2025 GMT
*  subjectAltName: host "www.r0amwild.com" matched cert's "www.r0amwild.com"
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> HEAD / HTTP/1.1
> Host: www.r0amwild.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Sat, 14 Dec 2024 21:45:36 GMT
Date: Sat, 14 Dec 2024 21:45:36 GMT
< Server: Apache/2.4.58 (Ubuntu)
Server: Apache/2.4.58 (Ubuntu)
< Last-Modified: Sat, 14 Dec 2024 17:28:30 GMT
Last-Modified: Sat, 14 Dec 2024 17:28:30 GMT
< ETag: "2110-6293e46acf1f0"
ETag: "2110-6293e46acf1f0"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 8464
Content-Length: 8464
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html

<
* Connection #0 to host www.r0amwild.com left intact

Do you have more evidence?

3 Likes
4

What OS & version, what web browser and version, what browser addons / extensions and version?

I wonder if there is a trojan extension or virus at play here that hijacked your web browser.

Or has someone had access to your DNS and pointed the domain name to anther IP address.

5 Likes
5

It does seem to work now. What the?

I have no idea.

Thank you for fixing it. Could someone else have had the cert? I'm a simpleton when it comes to this stuff BUT I do know the difference between English and something else.

If I can help you get to the bottom of what just occurred please let me know.

Thom

2 Likes
6

Something cached in your web browser???
Bug???

5 Likes
7

We took no corrective action. We just viewed things.

Are you on shared hosting? Because "falling through" to an unknown site might be something the hosting service would know about.

Or, as Bruce mentioned, possibly some kind of failure in your browser.

Certs are just files used by your server. Apache in your case. They are not active code. Was this the first time you had HTTPS (port 443) configured at this hosting company? Because it sounds like the HTTPS request got intercepted or misdirected and never reached your Apache. The cert files on your server cannot affect that kind of thing.

7 Likes
8

Tulorekisteri is Finnish for "incomes register".

Who is your webhost? I see your domain's IP is 195.35.32.76, which is allocated to Ripe and is showing me an ubuntu server.

The most likely causes for your problem are:

  1. Something is messing with your web browser's DNS. This could be a network problem with your ISP, or your computer could be compromised.

  2. Your webserver was hacked, and you managed to check it while the hackers were setting up a fake website on it. This is common - they break into a machine and use it to host a fake version of some random website, then use phishing emails to try and push people to it.

There are many other possible options, but I think these are the most likely. The real "Tulorekisteri" seems to be a service for reporting wages, so I do think there is a decent possibility that your machine was hacked to host a fake version of this. I would do a security audit of your server – check for login activity, make sure you know all the process that are running, audit the web hosting configs, etc.

There might not be anything wrong with your site. I just find things a little bit more suspect because there was a brief interruption of normal service, and the wrong site seems to be finance related. If this was just showing another blog or some random content site, I would be inclined to think this was just an ephemeral DNS or routing issue.

5 Likes
9

I am using Safari on MacOS. As for DNS, I had just updated it to point to this new VPS I picked up at Hostinger.

Maybe it had something to do with the timing associated with that? Got me.

I appreciate your comment. Thanks.

Thom

1 Like
10

All of these options are quite scary. I turned on UFW for what that is worth.

I will keep an eye on the auth.log file as well.

Thank you for the comment.

Thom

1 Like
11

Yes, this is a new VPS I'm putting up for a hobby site. I certainly do not want for anyone else to be in my server putting up fake sites.

Thank you, Thom

1 Like
12

I don't know for sure but perhaps Hostinger (your hosting service?) had a start-up glitch for your new system such that it mis-directed port 443 to someone else. You could lookup the IP for the rogue site and see if it is also hosted at Hostinger. That would help rule-in or rule-out possibilities.

Another possibility is a virus in your browser. Review all your browser extensions. I saw one recently that only occasionally modified URLs on pages. Very sneaky.

No, of course not.

It would be useful to know how that happened. There was nothing we did that "fixed" it. We just viewed your site and DNS using the public internet like anyone would. It wasn't a failure with your cert. It was a failure handling the HTTPS request from your browser to your server. Finding the cause may be difficult. We have given you a number of good ideas of pursuing this. I don't know what else I could add.

3 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.