Follow

Today's PSA to future self. Remember to delete the DNS entry when you destroy the Droplet. There are people actively looking for neglected subdomains to exploit. Like this place - http://138.197.164.85/sitemap.xml

@K_REY_C I'm not entirely sure. But what happened was they noticed a subdomain I had setup was pointing to it and they registered a let's encrypt cert for it, and registered it with google search properties. It look to me like they're simply salting google results for anyfreepdf.com
I can't figure out how they made the association between the IP and the domain though.

@K_REY_C They were really quick to jump on it, I shut the droplet down on 3/25 and the cert was created the same day.

@bcl Super interesting. Thanks for the explanation. It seems like a very strange attack vector.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.