mmm_dat_data

mmm_dat_data

Preface: mistakes were made and lessons were learned. I am willing to hear all criticisms.

I’m looking to find out what someone with more experience would do in an effort to figure out what happened here.

I got a notification from uptimerobot that my domain was down some time in the middle of the night- but it seemed to be back up less than hours later. I don’t know if this is related or not.

I use SWAG (with crowdsec) in a docker host to self host some things (my domain points to my home WAN) and one of those things is a 301 redirect to a script on github I use often elsewhere. I do this so I can just easily wget and run my script without having to type in a long url.

When I get to it after waking up, I notice that my subdomain url is now pointing to a generic login page that looks like this: https://i.postimg.cc/Y9VnLwmF/image.png

The second thing I notice is that this is a connection to port 80, which doesnt make sense to me since SWAG is setup to forward everything on 80 to 443 over TLS…

I look at the source of this page, and there is no identifying information regarding vendor or company names, and the text that says “No plug-in detected” looks like a link, but doesnt seem to contain any kind of URL.

I did a bunch of reverse image searching but that didnt come up with much, later I find out this login page is almost EXACTLY the same as a hikvision camera, with the source clearly being the same syntax etc- I do not have any hikvision cameras, all of my cameras are reolink and on a seperate network with no internet.

I also searched for “login.asp” on the SWAG host, inside docker containers, and am unable to find a file named login.asp anywhere.

As far as I can see there are no indications of any compromise that I can find- I can’t figure out where this data (the login page) was coming from, and it is not reproducible after restarting the box its hosted on in an isolated network and attempting to recreate it.

The nginx logs show the usual bombardment from bots, and I will say it looks like there are some brute force attempts that crowdsec was missing and I don’t understand why nginx is returning a 200 for files/URIs that arent there for example when an external IP queries `GET /favicon.ico` and nginx returns a 200 even though I dont have one on disk…

I’m looking to find out what someone with more experience would do in an effort to figure out what happened here.

I am currently in the process of restoring backups and bringing as many things up from scratch as I can, of course after closing off all domains etc and my WAN IP is no longer the same.

thanks for reading…

Attempting to understand what happened when a strange login page shows up on a subdomain I host, and I would like some input/suggestions

Attempting to understand what happened when a strange login page shows up on a subdomain I host, and I would like some input/suggestions