Strange verification attemp by Online Casino

Help
1

I just aquire a Hostinger VPS and started to migrate my site from Hostgator..

I had to install a lot of things and when I started testing the migrated site, i couldnt make the rewrite_mode to work, then while testing a lot of configuration, I noticed some acme-challenger attempts where the host came from something."bydgames.net", page that is unkwnon for me..

I tought my page had some virus and then I decided to reinstall VPS O.S and start again and first of all to try make rewrite_mode to work.

Then I restored the VPS from begin, and I have only created index.php page to test rewrite_mode.

Before install anything, (even ssl cert) I made a search for "bydgames.net" and for my surprise, it was found.

I noticed the attempts are logged at same time every 3 hours...

I dont know what to do, the hostinger support are so bad, they say they cant do any help for VPS

/var/log/nginx/error.log:2024/11/07 11:06:49 [error] 52858#52858: *54 open() "/usr/local/fastpanel2/web/letsencrypt/VL4JPER9UH2UTWNLDT-A0M9KOG-DOWQV" failed (2: No such file or directory), client: 2a01:4f8:13b:27d1::2, server: _, request: "GET /.well-known/acme-challenge/VL4JPER9UH2UTWNLDT-A0M9KOG-DOWQV HTTP/1.1", host: "mail.bydgames.net"
/var/log/nginx/error.log:2024/11/07 11:06:49 [error] 52859#52859: *55 open() "/usr/local/fastpanel2/web/letsencrypt/Y2HU1WI0JLQ95V5EF2O29-JIQ4RIYSPW" failed (2: No such file or directory), client: 2a01:4f8:13b:27d1::2, server: _, request: "GET /.well-known/acme-challenge/Y2HU1WI0JLQ95V5EF2O29-JIQ4RIYSPW HTTP/1.1", host: "cpanel.bydgames.net"
/var/log/nginx/error.log:2024/11/07 11:06:50 [error] 52860#52860: *56 open() "/usr/local/fastpanel2/web/letsencrypt/7PARWYU1UE3IW8IL9NJVPRYSV7TKZG_3" failed (2: No such file or directory), client: 2a01:4f8:13b:27d1::2, server: _, request: "GET /.well-known/acme-challenge/7PARWYU1UE3IW8IL9NJVPRYSV7TKZG_3 HTTP/1.1", host: "webdisk.bydgames.net"
/var/log/nginx/error.log:2024/11/07 11:06:50 [error] 52861#52861: *57 open() "/usr/local/fastpanel2/web/letsencrypt/VG0WBSS5TKHBUUZ_HJLQ3D8OPWVHKNWM" failed (2: No such file or directory), client: 2a01:4f8:13b:27d1::2, server: _, request: "GET /.well-known/acme-challenge/VG0WBSS5TKHBUUZ_HJLQ3D8OPWVHKNWM HTTP/1.1", host: "webmail.bydgames.net"
/var/log/nginx/error.log:2024/11/07 11:06:51 [error] 52862#52862: *58 open() "/usr/local/fastpanel2/web/letsencrypt/K4-3V7NFRSIQ5FQ4_BO0BNPR7M0-TN0Q" failed (2: No such file or directory), client: 2a01:4f8:13b:27d1::2, server: _, request: "GET /.well-known/acme-challenge/K4-3V7NFRSIQ5FQ4_BO0BNPR7M0-TN0Q HTTP/1.1", host: "cpcontacts.bydgames.net"
/var/log/nginx/error.log:2024/11/07 11:06:51 [error] 52863#52863: *59 open() "/usr/local/fastpanel2/web/letsencrypt/SK181B5M6HP119O8HFOCXS4ZPL-Y5QDY" failed (2: No such file or directory), client: 2a01:4f8:13b:27d1::2, server: _, request: "GET /.well-known/acme-challenge/SK181B5M6HP119O8HFOCXS4ZPL-Y5QDY HTTP/1.1", host: "cpcalendars.bydgames.net"
/var/log/nginx/error.log:2024/11/07 11:06:51 [error] 52864#52864: *60 open() "/usr/local/fastpanel2/web/letsencrypt/BFQTS0UT86FJJ7P0SRMS0S20V0ITE_1E" failed (2: No such file or directory), client: 2a01:4f8:13b:27d1::2, server: _, request: "GET /.well-known/acme-challenge/BFQTS0UT86FJJ7P0SRMS0S20V0ITE_1E HTTP/1.1", host: "teslacharger.in.bydgames.net"
/var/log/nginx/error.log:2024/11/07 11:06:52 [error] 52865#52865: *61 open() "/usr/local/fastpanel2/web/letsencrypt/SM6KFH7LQMDVNPKPS61_VHW9Q_PNDAKO" failed (2: No such file or directory), client: 2a01:4f8:13b:27d1::2, server: _, request: "GET /.well-known/acme-challenge/SM6KFH7LQMDVNPKPS61_VHW9Q_PNDAKO HTTP/1.1", host: "www.teslacharger.in.bydgames.net"
2

forgot to say, this bydgames.net are online casino :persevere:

3

Did you update your DNS A and AAAA records to be your public IP address at Hostinger? Because they usually set those by default to their services.

What is your domain name and what kind of server are you using?

I moved your topic to the Help section. You would have been asked to answer these questions

====================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

4 Likes
4

My vote would be "nothing," unless you're seeing an actual problem.

5 Likes
5

My assumption is that those hostnames used to be hosted at the IP that you are now using, and that there's some service on some forgotten server which is dutifully trying to revalidate control over its names every 3 hours, even though it won't work until they update their DNS records or otherwise fix their configuration.

Such "zombie" clients that just retry forever, hoping against hope that one day they'll be configured correctly but in the meantime just keep wasting resources failing, are unfortunately much more common out there than one would hope. They once said that around 80% of HTTP validation attempts fail, and a lot of them are these forgotten clients that aren't smart enough to give up after retrying for months (or years).

I agree with the previous poster that there really isn't anything for you to do. If you're ambitious, and generous, and want to try to figure out how to contact the network operations of the domain that's failing, I suppose you could give it a shot. But if a few requests, every 3 hours, is the worst noise in your log files to deal with, then you're doing pretty well. If it really bugs you, then you might be able to get a different IP from your hosting provider, but there's no guarantee that any other IP would get any less random traffic from a prior owner.

7 Likes
6

The IP for the games domain is at Hostinger. Should be easy to check if their IP addresses are the same as for this domain. Would be clue as to exactly how the requests are mis-directed.

5 Likes
7

That was my immediate guess too.

My other comment is this: The registered domain seems to be using a off-the-shelf skinned theme (the HTML title is "Themestub"), and the subdomains seem to be standard cpanel things - though the teslacharger seems weird. Usually when I see things like this, it's for a fake/scammer website that drives people through spam email. Considering this is happening on an IP on a VPS hosting service, I am pretty confident that is what is happening. A real online casino would not be using a Hostinger VPS.

7 Likes
8

the replies:

9

i have done nothing about DNS settings

I just setted dns A for hostinger IP for limpadoraglobo.com.br in registro.br (registro.br = registry pages for brazil sites)

10

Then check, and remove, any AAAA records found there.

2 Likes
11

Theres no AAAA records

image
image1099×671 45.7 KB

12

Ok, then the "other" names are resolving their AAAA records to your VPS IPv6 address.
There is not much you can do about their mistake.
hmm...
If it really bothers you, you could create an IPv6 vhost with their names and host a page that tells them they have reached the wrong server [because that domain owner has the wrong IPv6 address in their DNS].
OR
Just turn off IPv6 on your VPS [if you don't use it].

2 Likes
13

i will try this... seems like will work

the "support" from hostinger say its nginx problem for my vps, its not their problem

14

you are so intelligent... i just created cpanel.bydgames.net and done, the page is on my vps :open_mouth:

2 Likes
15

any clue about this? is there a kind of page to inform about wrong server by headers or i can just write this by html?

another question, is there a way they get some kind of access on my vps since i setted cpanel for my ipv6?

16

A very simple text page will suffice.

No more than already available [via IP and your own names] - this should NOT increase your security risk at all.

1 Like
17

hum... actually my other page "limpadoraglobo.com.br" now is showing the content of cpanel.bydgames.net

i dont understand why it started to happen

18

now, i disabled the cpanel.bydgames.net and limpadoraglobo.com.br back to show right content

19

Be sure all your sites have IPv6 enabled.

1 Like
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.