Strange URL pointing to my web server (Security issue?)

sebinho

New Member
Joined
Feb 17, 2022
Messages
17
Reaction score
3
Credits
107
Hello, I run a small Joomla-based website on a DigitalOcean droplet running Arch Linux. Checking the web statistics I see there have been a number of accesses that use a strange URL (one I didn't register) that points to my server's IP. Is this something to be concerned about? If so, can people suggest what I might be able to do about it?
Thanks,
 


It would help if you shared the strange urls, it's kind of hard to make guesses out of thin air.
 
And which web-statistics are you talking about, web-statistics you are running or else-where? Only thing I could think of that it's maybe the previous owner of the ip you are using used to own that ip and forgot the clean up the dns entree since when going to both domains you end up on the same website.
 
The nameservers for the domain are digitalocean.com nameservers, if you find it supsious contact the domain registrar of the domain or contact digitalocean.com, maybe that have an explanation.
Domain Name: varapp.co
Registry Domain ID: D2552E10E2A754592967911B4EA79C0B5-NSR
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: whois.godaddy.com
Updated Date: 2021-07-25T01:40:40Z
Creation Date: 2020-08-16T14:14:16Z
Registry Expiry Date: 2022-08-16T14:14:16Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: [email protected]
Name Server: ns1.digitalocean.com
Name Server: ns2.digitalocean.com
Name Server: ns3.digitalocean.com
 
The nameservers for the domain are digitalocean.com nameservers, if you find it supsious contact the domain registrar of the domain or contact digitalocean.com, maybe that have an explanation.
Thanks a lot, yes, I'll do that.
 
It looks more like scraping, as it's changing some of the text. It may even have been set up to use as a referrer so that they could try to attack your site - I get a ton of fake referrers in my logs. Why they'd set it up long-term I do not know. It's a good excuse to examine your site's security.

Anyhow, I agree with @f33dm3bits' conclusion. But, I'll add to it - make sure you frame it as a copyright issue, as the letters DMCA mean a whole lot to a hosting company. When I've seen a DMCA takedown notice (which has only happened a couple of times, thankfully), it has motivated me to respond in accordance with the laws as I understand them.

I did some digging and found this for you:


I'm sure there are others, should that one not be satisfactory.

Also, are you 100% positive that this isn't an earlier domain used by yourself or someone else involved in the project?
 
It looks more like scraping, as it's changing some of the text. It may even have been set up to use as a referrer so that they could try to attack your site - I get a ton of fake referrers in my logs. Why they'd set it up long-term I do not know. It's a good excuse to examine your site's security.

Anyhow, I agree with @f33dm3bits' conclusion. But, I'll add to it - make sure you frame it as a copyright issue, as the letters DMCA mean a whole lot to a hosting company. When I've seen a DMCA takedown notice (which has only happened a couple of times, thankfully), it has motivated me to respond in accordance with the laws as I understand them.

I did some digging and found this for you:


I'm sure there are others, should that one not be satisfactory.

Also, are you 100% positive that this isn't an earlier domain used by yourself or someone else involved in the project?
Thanks very much for the information. Yes 100% sure. I have never used this domain name nor has anyone else in the projects.
 
It looks more like scraping, as it's changing some of the text. It may even have been set up to use as a referrer so that they could try to attack your site - I get a ton of fake referrers in my logs. Why they'd set it up long-term I do not know. It's a good excuse to examine your site's security.

Anyhow, I agree with @f33dm3bits' conclusion. But, I'll add to it - make sure you frame it as a copyright issue, as the letters DMCA mean a whole lot to a hosting company. When I've seen a DMCA takedown notice (which has only happened a couple of times, thankfully), it has motivated me to respond in accordance with the laws as I understand them.

I did some digging and found this for you:


I'm sure there are others, should that one not be satisfactory.

Also, are you 100% positive that this isn't an earlier domain used by yourself or someone else involved in the project?
Sorry but I'm not understanding. Where did you see changes in the text? Did you use some tool to find differences? Is the varapp.co somehow a copy of my website or somehow filtering it? I'd thought the domain was simply pointing to my server. All the same, if this is so, I'm not also understanding how it can access my site's data as escuta.org is set up as a virtual host on the server. I've checked the config files and I can't find anything strange there.
 
Last edited:
Where did you see changes in the text?

Wait, no... I was fooled by the counter being different. That doesn't change the steps you probably want to take. It's definitely copyright infringement.

To be clear, you don't have to file for copyright (unless you want to be able to sue for monetary damages) in most countries - as they follow the US system. Some countries are different. Instead, copyright is assumed at the moment of creation - the moment it's put to text/art/music. So, they're republishing your copyrighted material and that's what the DMCA takedown is good for - if you're in the US. If you're not in the US, you can still file it like a DMCA request as at least one party (Digital Ocean) is headquartered in the US.
 
So, they're republishing your copyrighted material and that's what the DMCA takedown is good for - if you're in the US. If you're not in the US, you can still file it like a DMCA request as at least one party (Digital Ocean) is headquartered in the US.
Thanks, but if I ping varapp.co and ping escuta.org I get the same ip address returned. So it's reading the same data from my server but publishing it under a different domain, correct?

EDIT:

varapp.co uses the same name servers as escuta.org, ie. the digitalocean name servers. Could it be that there is a server or droplet hosted by digital ocean set up with DNS that points to my server's IP? Since I've set up escuta.org as virtual host, I still don't understand how it could access my site's data, as it would need to have a custom virtual host configuration with the domain varapp.co on my server. Would it not? However I'm very much an amateur web hoster, so I'm probably very confused!
 
Last edited:
Thanks, but if I ping varapp.co and ping escuta.org I get the same ip address returned. So it's reading the same data from my server but publishing it under a different domain, correct?
It's loading the same webpage because you probably only have one virtualhost configured with the name escuta.org and when a name is used to access the server that is not in a virtualhost the default one is loaded. So in this cause because varapp.co is pointing towards the same ip as your domain name and you only have one virtualhost which is then loaded as the default virtualhost.
 
When you register a domain name, you don't have to add name servers - you can point it to an existing domain. That could be what's going on. Pointing it at an existing domain is an option at every registrar I've ever used. It could be entirely accidental.
 
Yes, hopefully it's something accidental/innocent.
When you register a domain name, you don't have to add name servers - you can point it to an existing domain. That could be what's going on. Pointing it at an existing domain is an option at every registrar I've ever used. It could be entirely accidental.
So, are you suggesting that I remove the external name servers from my Domain registration (on hover.com) and have its own DNS settings point to my server's address?
 
It's loading the same webpage because you probably only have one virtualhost configured with the name escuta.org and when a name is used to access the server that is not in a virtualhost the default one is loaded. So in this cause because varapp.co is pointing towards the same ip as your domain name and you only have one virtualhost which is then loaded as the default virtualhost.
I have 2 virtual hosts configured, escuta.org and rabeca.org
 
I have 2 virtual hosts configured, escuta.org and rabeca.org
It will load them in alphabetical order, so since varapp.co is not mentioned in either of your virtualhost it will load the the first one loaded which is the default. In this case that would be escuta.org.
 
Yes, hopefully it's something accidental/innocent.

So, are you suggesting that I remove the external name servers from my Domain registration (on hover.com) and have its own DNS settings point to my server's address?

I don't think that'd change anything. They would still be pointed at the domain name.

Hmm... I notice that the certificate isn't valid at the spoofing/redirected domain.

This is what I'm thinking it might be:

2022-04-20_14-12.png
 
I don't think that'd change anything. They would still be pointed at the domain name.
yes
Hmm... I notice that the certificate isn't valid at the spoofing/redirected domain.

This is what I'm thinking it might be:

View attachment 12363

Yes, I had noticed that it was an insecure connection. So should I report to Godaddy that the URL is forwarding to a site that does not pertain to the registrant?
 

Staff online


Top