Some unknown A record has pointed to my server and is accessible, what trick is this?

SYSTEM INFORMATION
OS type and version UBUNTU 18.04
Virtualmin version 6.17-3

Today I got two Joomla update reminder emails from two unknown sites: https://qr.bonide.com and https://confrencemeet.com. When I open these two sites I find they look identical to my sites. At first I thought someone deep copied my site trying to phish my admin password but when I check the A records for the two URL I surprisingly found out they are actually both pointing to the IP of my virtualmin server.

So why would someone do this? Does this mean my server is probably hacked or being targeted by hackers? http://bonide.com seems to be a genuine business site, should I contact the owner about this issue? Maybe they got hacked?

Apache serves the best match it can come up with for the URL given. If nothing matches it serves the first VirtualHost it finds in the configuration (on Ubuntu, this generally means the ASCII-betical first, since vhosts go in a bunch of files which are loaded in ASCII-betical order) but you can force it to pick one by sticking 00 in front of the name of the file, or whatever. Virtualmin can do this if you choose a domain to be your default domain.

You obviously have no control over what A records other people create. You could make some error site be the “default” site, instead of one of your actual sites, I guess, if it bugs you.

Why would you assume they got hacked? What would a hacker gain by pointing an A record at your site, instead of one of their own? Much more likely just that they used to have your IP and then didn’t remove the record when they moved to another or took the server down.

Why would you think that? I don’t see any reason to think a bogus A record is anything other than an oversight in this circumstance. You don’t take hack someone’s DNS only to point the records at some random persons web server. What good would that do an attacker?

Edit: All that said, if you see unusual URLs containing media or files or whatever in your access logs…that would be indicative of a hack. And, I guess you could maybe find some way to make random domains pointing to it be useful, maybe?

1 Like

That’s free traffic, man. Enjoy!

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.