Who got hacked now?
We got an email from
Google informing us that the company website had been hacked and was hosting "hacked" content.
1: why is
Google referring to content as "hacked"?
2: is the company website OK?
3: have we been hacked?
4: what are we going to do about it?
1: worried me, as that did not seem to be the language
Google would use. But all the headers and links checked out as being real
Google
2: Loaded up my secure VM for web browsing and the main and secondary web sites seems fine. Closing the VM reverts it to the previous state.
3: The
Google email is referring to a sub domain that I do not recognise BUT has the name the company might use. It was industry specific and extremely unlikely to have been generated randomly.
Visiting the sub domain showed a Ferrari image and references to e-book mirroring. Uh Oh!
4: Loaded up the web hosting admin panel. There is the sub domain, but all it has is a DNS record to redirect. It is not a web site with files we own or can get at.
Ring hosting provider and ask when DNS changed, no records are kept for sub domains! But they could tell me when the main domain had been updated, which was 9 months ago and no relevant, drat.
After some back and forth it became apparent that the DNS could only be changed by the user and the user had not changed the DNS. Mysterious ... and nobody claimed responsibility for creating the sub domain.
Deleted the sub domain but only after copying the DNS details. IP pointed to Digital Ocean, a well know hosting provider that we have never used. I filled in their abuse feedback form.
Then I ran
wget to mirror the dodgy site. Even though the DNS was deleted the Digital Ocean server was still accepting
Host Headers
Fishing through the downloaded file I was surprised to find nothing. All the 30+ pages had the same non-content talking about e-book mirroring but having no actual e-books.
There was a "report DMCA" link that ended up at a
Google form, so I reported that.
Conclusion; hacker would monitor the site and if undisturbed would then populate with whatever.
But then I searched on the text the hacker had used and what turned up was unexpected. The vast majority of results were host name checkers that had indexed domains with the hackers text. Trying to visit the actual site lead to DNS errors and 404s.
But there were a couple still up and hosting ... the same ... nothing! Pages and pages of empty pages, no links, no files, no exploits or codes or anything obvious.
Conclusion; no idea ...
But now someone had a tiny memory that
maybe that sub domain had been setup to point to a free trial of some software. Of course there were no details and it would have been ages ago, double drat!