Preface: mistakes were made and lessons were learned. I am willing to hear all criticisms.

I’m looking to find out what someone with more experience would do in an effort to figure out what happened here.

I got a notification from uptimerobot that my domain was down some time in the middle of the night- but it seemed to be back up less than hours later. I don’t know if this is related or not.

I use SWAG (with crowdsec) in a docker host to self host some things (my domain points to my home WAN) and one of those things is a 301 redirect to a script on github I use often elsewhere. I do this so I can just easily wget and run my script without having to type in a long url.

When I get to it after waking up, I notice that my subdomain url is now pointing to a generic login page that looks like this: https://i.postimg.cc/Y9VnLwmF/image.png

The second thing I notice is that this is a connection to port 80, which doesnt make sense to me since SWAG is setup to forward everything on 80 to 443 over TLS…

I look at the source of this page, and there is no identifying information regarding vendor or company names, and the text that says “No plug-in detected” looks like a link, but doesnt seem to contain any kind of URL.

I did a bunch of reverse image searching but that didnt come up with much, later I find out this login page is almost EXACTLY the same as a hikvision camera, with the source clearly being the same syntax etc- I do not have any hikvision cameras, all of my cameras are reolink and on a seperate network with no internet.

I also searched for “login.asp” on the SWAG host, inside docker containers, and am unable to find a file named login.asp anywhere.

As far as I can see there are no indications of any compromise that I can find- I can’t figure out where this data (the login page) was coming from, and it is not reproducible after restarting the box its hosted on in an isolated network and attempting to recreate it.

The nginx logs show the usual bombardment from bots, and I will say it looks like there are some brute force attempts that crowdsec was missing and I don’t understand why nginx is returning a 200 for files/URIs that arent there for example when an external IP queries `GET /favicon.ico` and nginx returns a 200 even though I dont have one on disk…

I’m looking to find out what someone with more experience would do in an effort to figure out what happened here.

I am currently in the process of restoring backups and bringing as many things up from scratch as I can, of course after closing off all domains etc and my WAN IP is no longer the same.

thanks for reading…

  • Kalkran@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    If your site went down and you mention your IP has changed… Is that not all that happened? Your domain pointed to your previous IP and someone who has Hikvision cameras exposed over port 80 got your old IP. If you know your previous IP you should be able to verify this relatively quickly.

    • mmm_dat_data@alien.topOPB
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      This is hilarious, I didn’t even think of this as a possibility. I have a dynamic IP setup with the namecheap local app and my IP hasnt changed in years so I didn’t even think of this.

      I feel so dumb right now, but man I’m reeeeeally happy about it haha.

      thanks!

      EDIT- yes i remember my old IP and navigating to it shows the page I saw…

  • wwbubba0069@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    WAN IP is no longer the same

    Then you do not have a static IP and this will happen again.

    You need to get something setup that will update your DNS records with your register when your IP changes. I use cloudflare for mine like this vid https://www.youtube.com/watch?v=Nf7m3h11y-s

    or, pony up with your ISP for a static IP.

  • jaredearle@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Here’s what I think happened: Everything you see is something you did.

    The subdomain you host points to your IP … or at least it did. Your ADSL IP address has changed and your domain is now pointing at someone else’s IP as their ADSL has claimed it.

    Ping the subdomain and see the IP address. Now go to https://whatismyipaddress.com/ and see what your IP address is. They’re different now, right?

  • disguy2k@alien.topB
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Hikvision makes the cameras for many other brands. They default to serving their web UI on port 80. It’s probably getting roped into your reverse DNS somehow.

    Try the default Hikvision login admin, 12345/admin to see if you can change the UI port