Accidental Ownage -- Exploiting forgotten services

Phil Behnke

Phil Behnke

5 min read

A funny thing happened to me the other day. I was setting up a new web server on a VPS. Actually it was this web server. I opted to go with Digital Ocean. As soon as I fired it up I noticed I was receiving some hits. While I thought it was odd, I just assumed some scanner got lucky and hit my IP. Not thinking much of it, I finished the setup and went to bed.

The next morning, I checked the logs and there was much more traffic than I expected since I just launched the site and had very little content. Some looked like typical spidering, but some of the traffic looked like legitimate users looking for content. Here's a snippet:


66.249.79.123 - - [02/Jul/2015:03:45:50 +0000] "GET /tag/highend HTTP/1.1" 301 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.79.110 - - [02/Jul/2015:03:45:51 +0000] "GET /tag/highend/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.79.136 - - [02/Jul/2015:03:45:52 +0000] "GET /post/105780677027/barrydraws-let-it-snow-let-it-snow-let-it HTTP/1.1" 301 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.79.123 - - [02/Jul/2015:03:45:52 +0000] "GET /post/105780677027/barrydraws-let-it-snow-let-it-snow-let-it/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
180.76.15.24 - - [02/Jul/2015:04:34:26 +0000] "GET / HTTP/1.1" 200 5506 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
180.76.15.150 - - [02/Jul/2015:04:35:06 +0000] "GET / HTTP/1.1" 200 5506 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
107.178.194.97 - - [02/Jul/2015:04:38:31 +0000] "GET / HTTP/1.1" 200 - "-" "Bridgy (http://brid.gy/about) AppEngine-Google; (+http://code.google.com/appengine; appid: s~brid-gy)"
66.249.79.136 - - [02/Jul/2015:05:38:15 +0000] "GET /robots.txt HTTP/1.1" 200 - "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.79.123 - - [02/Jul/2015:05:38:16 +0000] "GET /2015/google-maps-still-amazes-me-every-time-i-use-it HTTP/1.1" 301 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.79.136 - - [02/Jul/2015:05:38:16 +0000] "GET /2015/google-maps-still-amazes-me-every-time-i-use-it/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
180.76.15.154 - - [02/Jul/2015:05:46:18 +0000] "GET / HTTP/1.1" 200 5506 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
180.76.15.141 - - [02/Jul/2015:05:46:56 +0000] "GET / HTTP/1.1" 200 5506 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
180.76.15.137 - - [02/Jul/2015:06:46:45 +0000] "GET /external/mediaelement/build/'+this.escapeHTML(a)+' HTTP/1.1" 301 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
180.76.15.147 - - [02/Jul/2015:06:46:46 +0000] "GET /external/mediaelement/build/'+this.escapeHTML(a)+'/ HTTP/1.1" 301 86 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
180.76.15.160 - - [02/Jul/2015:06:46:47 +0000] "GET /external/mediaelement/build/'+this.escapehtml(a)+'/ HTTP/1.1" 404 - "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
180.76.15.10 - - [02/Jul/2015:06:47:58 +0000] "GET / HTTP/1.1" 200 5506 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
180.76.15.151 - - [02/Jul/2015:06:48:45 +0000] "GET / HTTP/1.1" 200 5506 "-" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
207.90.2.5 - - [02/Jul/2015:07:01:36 +0000] "GET / HTTP/1.0" 200 5506 "-" "=Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16"
198.58.102.117 - - [02/Jul/2015:07:03:33 +0000] "GET /?_t=rss HTTP/1.1" 200 - "-" "Superfeedr bot/2.0 http://superfeedr.com - Make your feeds realtime: get in touch - feed-id:425560942"
23.95.234.94 - - [02/Jul/2015:07:04:02 +0000] "GET /page/2 HTTP/1.0" 301 - "http://diiulio.org/" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"
23.95.234.94 - - [02/Jul/2015:07:04:03 +0000] "GET /page/2/ HTTP/1.0" 302 58 "http://diiulio.org/" "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0"

A lot of the requests look like requests to legitimate blog posts with URLs like "/2015/google-maps-still-amazes-me-every-time-i-use-it". However, that isn't a blog post I've made. This was all getting very strange. The last two entries caught my eye, with referrers from http://diiulio.org/. Not knowing what that was, I gingerly decided to check it out. What I saw next really got my attention...it was my site. What the actual fuck. Was someone copying my content? Not likely since I didn't have much. I decided to check out the whois on the domain:


Domain Name:DIIULIO.ORG
Domain ID: D171286606-LROR
Creation Date: 2014-03-04T01:26:37Z
Updated Date: 2015-07-03T06:38:13Z
Registry Expiry Date: 2016-03-04T01:26:37Z
Sponsoring Registrar:GoDaddy.com, LLC (R91-LROR)
Sponsoring Registrar IANA ID: 146
WHOIS Server:
Referral URL:
Domain Status: ok -- http://www.icann.org/epp#ok
Registrant ID:CR162359618
Registrant Name:Jeri DiIulio
Registrant Organization:
Registrant Street: REDACTED
Registrant City:Rock Island
Registrant State/Province:Illinois
Registrant Postal Code:61201
Registrant Country:US
Registrant Phone: REDACTED
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:[email protected]

Well this is surprising, legitimate whois info instead of a proxy registration. If this was something malicious I'd a think proxy registration would be used. And it appears diiulio is someone's last name. And two first names pop up: Jeri in the name field and Matt in the email. OK, so why is my site appearing in someone's old blog? Time to check the DNS:


phil@barbacoa:~$ dig diiulio.org

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> diiulio.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 1 56 58 299 512 2015 50831 opcode: query, status: noerror, id: ;; flags: qr rd ra; query: 1, answer: authority: 0, additional: opt pseudosection: ; edns: version: flags:; udp: question section: ;diiulio.org. in a answer diiulio.org. 104.236.218.139 query time: msec server: 8.8.8.8#53(8.8.8.8) when: thu jul 02 14:17:16 edt msg size rcvd: < code>

Bingo! That's the IP I got from Digital Ocean. So it looks like this guy used to have this IP at Digital Ocean, killed his server and forgot to update his DNS record. Luckily, using the whois information, I was able to track the owner down on Twitter and give him a heads up.

However, this begs another point. I could have easily taken control of his old site. And given the logs, it was receiving a decent amount of traffic. I wonder if this sort of thing has happened to others. With the decreasing amount of IPv4 address, this kind of situation may become more common. Particularly in shared environments like Digital Ocean.

Read more