It’s 10pm, Do You Know Where Your Subdomains Are?

A few days ago I got a mention on Twitter by someone asking me to follow them so they can send me a DM. I did, so I got the following message:

Hi Gabor! Thanks for following.

Just to quickly introduce myself, I write about SSL and am currently doing research on the use of SSL certificates amongst phishing sites.

I've found a pattern of phishing pages hidden on otherwise legitimate sites, likely due to the site being compromised at some point in time.

I found a subdomain on your site that may fit my pattern:

paypal.javorszky.co.uk

I was curious if you were aware of the existence of this subdomain and its current content?

I had a hunch of what might have happened, but didn’t actually know, so I visited paypal.javorszky.co.uk. Turns out, it was a legitimate site that had absolutely nothing to do with me. If I remember correctly it was either an NGO, or an agricultural business. Doesn’t matter.

What does matter is, I did not set that site up. So why was my subdomain pointing there?

I’ve used that subdomain to spin up a testing site on WordPress that was publicly accessible so I could test checkout with PayPal and its IPN responses back when I was working on Subscriptions. Since I no longer needed that site, I deleted the Digital Ocean box that was housing it, and that was that.

What I didn’t do though, is remove the A record for the subdomain.

Digital Ocean recycles the IP addresses they have available, so the IP address that I was assigned to in the past got assigned to someone else as well, and hence my address pointed at their box.

Have you done your DNS housekeeping?

To check, visit this site:

https://crt.sh/?q=%javorszky.co.uk

Replace javorszky.co.uk with your own domain in the above, or visit the link and fill out the input box with %yourdomain.tld.

The % character is a wildcard. It will search for all the subdomains on your domain and return their SSL certificate status, if any.

There’s also one by Facebook: https://developers.facebook.com/tools/ct/

This has been a Public Service Announcement. Thank you, and good night!