2

Preface: mistakes were made and lessons were learned. I am willing to hear all criticisms.

I'm looking to find out what someone with more experience would do in an effort to figure out what happened here.

I got a notification from uptimerobot that my domain was down some time in the middle of the night- but it seemed to be back up less than hours later. I don't know if this is related or not.

I use SWAG (with crowdsec) in a docker host to self host some things (my domain points to my home WAN) and one of those things is a 301 redirect to a script on github I use often elsewhere. I do this so I can just easily wget and run my script without having to type in a long url.

When I get to it after waking up, I notice that my subdomain url is now pointing to a generic login page that looks like this: https://i.postimg.cc/Y9VnLwmF/image.png

The second thing I notice is that this is a connection to port 80, which doesnt make sense to me since SWAG is setup to forward everything on 80 to 443 over TLS...

I look at the source of this page, and there is no identifying information regarding vendor or company names, and the text that says "No plug-in detected" looks like a link, but doesnt seem to contain any kind of URL.

I did a bunch of reverse image searching but that didnt come up with much, later I find out this login page is almost EXACTLY the same as a hikvision camera, with the source clearly being the same syntax etc- I do not have any hikvision cameras, all of my cameras are reolink and on a seperate network with no internet.

I also searched for "login.asp" on the SWAG host, inside docker containers, and am unable to find a file named login.asp anywhere.

As far as I can see there are no indications of any compromise that I can find- I can't figure out where this data (the login page) was coming from, and it is not reproducible after restarting the box its hosted on in an isolated network and attempting to recreate it.

The nginx logs show the usual bombardment from bots, and I will say it looks like there are some brute force attempts that crowdsec was missing and I don't understand why nginx is returning a 200 for files/URIs that arent there for example when an external IP queries `GET /favicon.ico` and nginx returns a 200 even though I dont have one on disk...

I'm looking to find out what someone with more experience would do in an effort to figure out what happened here.

I am currently in the process of restoring backups and bringing as many things up from scratch as I can, of course after closing off all domains etc and my WAN IP is no longer the same.

thanks for reading...

you are viewing a single comment's thread
view the rest of the comments
[-] Kalkran@alien.top 2 points 1 year ago

If your site went down and you mention your IP has changed.. Is that not all that happened? Your domain pointed to your previous IP and someone who has Hikvision cameras exposed over port 80 got your old IP. If you know your previous IP you should be able to verify this relatively quickly.

[-] mmm_dat_data@alien.top 3 points 11 months ago

This is hilarious, I didn't even think of this as a possibility. I have a dynamic IP setup with the namecheap local app and my IP hasnt changed in years so I didn't even think of this.

I feel so dumb right now, but man I'm reeeeeally happy about it haha.

thanks!

EDIT- yes i remember my old IP and navigating to it shows the page I saw...

[-] CBITGuy@alien.top 3 points 11 months ago

Look ay dynamic DNS. It's how I monitor my home internet.

this post was submitted on 19 Nov 2023
2 points (100.0% liked)

Homelab

371 readers
2 users here now

Rules

founded 1 year ago
MODERATORS