I'm getting new version notifications for a domain I don't own, should I be concerned?
-
So I've been getting "an update is ready" notifications for a Joomla! site running on a domain I don't control. These come spoofed (on purpose) as coming from my own email. The redacted version is below.
Note: I get these from the Joomla! site I do control and maintain. They look identical except the domain information.
I've WHOIS'ed the domain, and its protected. Assuming the domain registration is for one year, it was registered back in March. I know (after doing a credit check and a bank search) that I'm not paying for this domain.
I'm currently installing a sacrificial VM to check it out, but I'm pretty sure it's a parked domain.
Should I be concerned? Should I contact the abuse people? Or is this likely just somebody who mis-typed an email address? Am I just paranoid?
-
Your subconscious is called Admiral Benbo :)
-
@adynathos No, that's the one I do control. That's my site. But the domain name in the email is not admiralbenbo.org. I'm getting separate emails for updates on that site. That's why I'm confused.
And yes, that is my D&D setting's page. I'm a hopeless nerd.
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
Or is this likely just somebody who mis-typed an email address?
Please to us providing your email address for the verification purposes. We will to be having the correction in good time now.
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
But the domain name in the email is not admiralbenbo.org
The screenshot is from
junction.com
.
So looks like someone cloned your site?
The HTML is not identical though.
-
@adynathos said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
But the domain name in the email is not admiralbenbo.org
The screenshot is from
junction.com
.
So looks like someone cloned your site?
The HTML is not identical though.Ah...yeah. That's a copyright violation--that text is all (c) Me. Should I take it up with the registrar? Or what? Suggestions?
-
@benjamin-hall And that's relatively recent. I just published that worldbuilding article yesterday. They must have a bot that scraping the page and pulling content (or something).
No clue why--there's no ads and virtually no traffic, so what's the point?
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@adynathos said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
But the domain name in the email is not admiralbenbo.org
The screenshot is from
junction.com
.
So looks like someone cloned your site?
The HTML is not identical though.Ah...yeah. That's a copyright violation--that text is all (c) Me. Should I take it up with the registrar? Or what? Suggestions?
Send a DMCA notification to the domain owner through the protection service and if they don’t comply, contact the ISP. ;)
-
@kt_ I've now submitted DMCA takedown requests with the proxy and with google. Maybe they'll do something. If not, I'll try to find the ISP and take it up with them.
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@kt_ I've now submitted DMCA takedown requests with the proxy and with google. Maybe they'll do something. If not, I'll try to find the ISP and take it up with them.
Google should react within a few days, but they’ll only remove the site from search results. Contacting the ISP is the most surefire way. Just Whois the IP address to get the email, usually that’s all you need.
-
@benjamin-hall it's weird they put your email as the administrator of the website.
I suspect they wanna trick you into logging in there, to steal your password.
-
@kt_ as far as I can tell, no email is listed in the WHOIS report. The offending IP is 198.105.254.228 which belongs to "Search Guide Inc" in Boulder, CO, but I can't seem to find the contact email.
-
Currently changing all my passwords for important stuff and resetting the router to factory (and updating it). It seems either I forgot the user name for the router admin panel or it was hijacked. In light of the recent hacks, I think I'm going to lock my credit as well.
-
@benjamin-hall and now, having changed my wifi password, I find I need to go buy one of those silly printer USB cables as I lost mine, and my printer is on WiFi.
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@benjamin-hall and now, having changed my wifi password, I find I need to go buy one of those silly printer USB cables as I lost mine, and my printer is on WiFi.
Ah, should have let your devices know the wifi would be changing frist. ;)
-
I'm looking at my server log and seeing tons of referrals from the spurious site. No clue why one would do such a thing, but...
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
I'm looking at my server log and seeing tons of referrals from the spurious site. No clue why one would do such a thing, but...
So they can... um... drive-by-infect people before sending them on their way to you?
Makes sense though, if you have hard links in your docs and not relative references.
-
If the email was sent to your address from Joomla, I can only think of two reasons that could happen:
- They're trying to phish you specifically for some reason
- They have a copy of your Joomla database and for some reason they installed it on a publicly accessible site
Of the two, the former seems more likely, but they're both pretty bizarre. I don't think anyone smart enough to exploit a database-dumping bug would be dumb enough to put that database on a live server. The question then is why do they care so much about you that they made a phishing site that only you would ever even try to log into?
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@kt_ as far as I can tell, no email is listed in the WHOIS report. The offending IP is 198.105.254.228 which belongs to "Search Guide Inc" in Boulder, CO, but I can't seem to find the contact email.
$ whois 198.105.254.228| grep @ OrgTechEmail: noc@searchguideinc.com OrgNOCEmail: noc@searchguideinc.com OrgAbuseEmail: noc@searchguideinc.com
Given the genericness of the email, however, I wouldn't get your hopes up.
-
@pjh from other research, I'm pretty sure it's a SEO company that specializes in less... ethical... forms of manipulation.
I've black holed all referral traffic from that site and am looking at ways of blocking then entirely, but I'm no expert in that.
It's still kinda amusing--it seems to be the worst possible target. There's nothing of monetary value, no ads, no traffic. And my credentials there are completely separate from the hosting credentials and different from all my other credentials.
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@kt_ as far as I can tell, no email is listed in the WHOIS report. The offending IP is 198.105.254.228 which belongs to "Search Guide Inc" in Boulder, CO, but I can't seem to find the contact email.
I don't think 198.105.254.228 is related to
junction.com
It's a consequence of an isp (? Time Warner Cable) hijacking unrecognised dns lookups and helpfully redirecting to a search engine that's hosted on 198.105.254.228.
For me at least
www.junction.com
resolves to 104.28.21.83 which is a cloudflare owned ip. Given that that's a CDN, you may well get a different IP - but still likely to be Cloudfare.Cloudflare may be able to shed some light on this (they ought to know who they are serving content for).
If you go to the plain http version of
www.junction.com
there's a hosting provider placeholder page fromwww.siteground.com
(who might also be worth complaining to)Depending on how Joomla generates update notifications and how broken the process is (e.g. where they get the sitename and email address from and what triggers the notification), it crosses my mind that this whole thing might conceivably be accidental if someone has set up cloudflare as a CDN for the wrong IP address.
-
@japonicus thanks.
siteground
is my hosting provider, which makes things even stranger.
-
I opened a ticket with my hosting provider--they say it seems to be a misconfiguration on their end. They were actually quite responsive and supportive. 10/10, would recommend.
-
@benjamin-hall Resolved--I have no clue how it happened though. Here's their explanation:
Our admin team had to apply a special vhost for the domain to avoid this, as it appeared to just be loading the first vhost it found on the server, as it was not present here.
I presume that meant that the DNS lookup failed (since there was no actual domain registered there), Cloudflare or the hosting service was just grabbing the first host it found on that same server cluster and redirecting there instead. That seems to me to be a total if true.
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@benjamin-hall Resolved--I have no clue how it happened though. Here's their explanation:
Our admin team had to apply a special vhost for the domain to avoid this, as it appeared to just be loading the first vhost it found on the server, as it was not present here.
I presume that meant that the DNS lookup failed (since there was no actual domain registered there), Cloudflare or the hosting service was just grabbing the first host it found on that same server cluster and redirecting there instead. That seems to me to be a total if true.
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@benjamin-hall Resolved--I have no clue how it happened though. Here's their explanation:
Our admin team had to apply a special vhost for the domain to avoid this, as it appeared to just be loading the first vhost it found on the server, as it was not present here.
I presume that meant that the DNS lookup failed (since there was no actual domain registered there), Cloudflare or the hosting service was just grabbing the first host it found on that same server cluster and redirecting there instead. That seems to me to be a total if true.
It's the default behaviour for apache when serving a series of virtual hosts from the same server - I've been stung by it before. If the requested server name doesn't match any of the defined ones, then the first host in the list is used. I agree that's
I'm not sure if nginx does anything similar, it might.
Contrary to my previous post this probably isn't cloudflare's fault - it requested content for
junction.com
and was given your site instead.The behaviour of Joomla is also a bit suspect - from your experience it appears to be happy to fill in the server name in the notification email without any sort of check that that's the address where it was meant to be running. I suspect that if one examined the updatenotifications code it would be a whole can of worms - but tempting as it is I'm not going to go there.
-
@japonicus said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@benjamin-hall Resolved--I have no clue how it happened though. Here's their explanation:
Our admin team had to apply a special vhost for the domain to avoid this, as it appeared to just be loading the first vhost it found on the server, as it was not present here.
I presume that meant that the DNS lookup failed (since there was no actual domain registered there), Cloudflare or the hosting service was just grabbing the first host it found on that same server cluster and redirecting there instead. That seems to me to be a total if true.
It's the default behaviour for apache when serving a series of virtual hosts from the same server - I've been stung by it before. If the requested server name doesn't match any of the defined ones, then the first host in the list is used. I agree that's
I'm not sure if nginx does anything similar, it might.
Contrary to my previous post this probably isn't cloudflare's fault - it requested content for
junction.com
and was given your site instead.The behaviour of Joomla is also a bit suspect - from your experience it appears to be happy to fill in the server name in the notification email without any sort of check that that's the address where it was meant to be running. I suspect that if one examined the updatenotifications code it would be a whole can of worms - but tempting as it is I'm not going to go there.
That apache behavior does seem like a . I'm pretty sure it's running apache because the usual .htaccess rules work (I've set some up for a separate project on a subdomain).
As to the Joomla! code: It's PHP, it's sure to be a can of worms.
-
@japonicus said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
It's the default behaviour for apache when serving a series of virtual hosts from the same server - I've been stung by it before. If the requested server name doesn't match any of the defined ones, then the first host in the list is used. I agree that's
I'm not sure if nginx does anything similar, it might.
Adding back in the "It works!" page as the first (and therefore, default) site to my nginx config now, just in case...
-
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
Am I just paranoid?
I am unsure. However: People think I'm insane because I am frowning all the time.
So...
-
@boomzilla said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
People think I'm insane because I am frowning all the time.
I don't think that's the main reason.
-
@boomzilla said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
@benjamin-hall said in I'm getting new version notifications for a domain I don't own, should I be concerned?:
Am I just paranoid?
I am unsure. However: People think I'm insane because I am frowning all the time.
So...
Well, maybe you should ask someone to help you occupy your brain.
Filed Under: Happiness, I cannot feel.