Petty revenge

nestleToiletWater · November 24, 2022, 8:33pm

Revenge is a dish best served spitefully

Gather round for a silly and petty story of one man's fight against spam

So I was checking the logs of one of my web servers and I saw masses of spam from a series of similar domains. My backend web server, the screens ession it was running in and my DB were down but my Nginx reverse proxy was alive. This made panic and start going through incident response assuming I’d been hacked and that my server was being used as some kind of C2 given all the weird traffic I was seeing in my logs.

I proceeded to quickly scp all logs and history files to my local p.c. where I combed through them. I checked running processes, recently altered files, doubled checked all service confs. But all to no avail…

I logged in to my email that I use for this web server’s hosting and saw a message from Linode that the physical box had gone down had had to undergo an emergency repair.

This explained why only the Nginx proxy was up. Out of all my services it was the only one running under a systemd service. So it naturally came back up after the outage and the others obviously didn’t. (As this is my personal site I don’t think I’m going to configure any other auto scripts for the DB or back end web server but I might if this keeps happening.) This also explained why I couldn’t find any signs of intrusion other than the weird web error logs.

I contacted Linode just in case there was something going on here that I wasn’t aware of but no. The outage had nothing to do with this as I suspected.

After reaching out to the site owners who were pointing their domains at my site and receiving no response, my Nginx config now has the following lines added:

#Spam spam spam!

server {
    listen 80;
    listen [::]:80;

    # Spam domain names.
    server_name thoughtfulpet.com thoughtfulpet.co.uk thoughtfulpetfoodstore.com thoughtfulpets.com;

    # redirect the spam to somewhere appropriate...
    return 301 https://www.youtube.com/watch?v=dQw4w9WgXcQ;
}

server {
    listen 443;
    listen [::]:443;

    # Spam domain names.
    server_name thoughtfulpet.com thoughtfulpet.co.uk thoughtfulpetfoodstore.com thoughtfulpets.com;

  
    # redirect the spam to somewhere appropriate...
    return 301 https://www.youtube.com/watch?v=dQw4w9WgXcQ;

}

jode · November 24, 2022, 8:50pm

Can you please share some examples?

Interesting approach to this…

AbsolutelyFree · November 24, 2022, 8:52pm

They knew the rules, but unfortunately for them, so did you

nestleToiletWater · November 24, 2022, 8:53pm

I already did They’re all in the config I posted. I got the list by cat-ing my logs and grep-ing for thoughtful.

It was when I saw " /database-backup.tar " that I really started panicking

vivante · November 25, 2022, 5:55am

Domains are all registered around the same time in 2014. so maybe someone just forgot to change/turn off their DNS.
All of those domains used to 301 to what appears to be still functional, malware free Wix website @ thoughtfulpets.co.uk

Maybe you could be nice and redirect there or try and contact them there on the “official” website .

human_urostor · November 25, 2022, 8:13pm

Yeah, what OP did seemed unnecessarily spiteful. Not everyone is a tech nerd and replies within 5 minutes.

TimHolus · November 25, 2022, 9:04pm

And what had he done? Principle… my sandbox and my toys.

human_urostor · November 26, 2022, 12:39am

Yeah, not much but s/he sure spent a lot of time on this. Anyway I shouldn’t judge

risk · November 26, 2022, 1:14pm

This seems to have been some SEO attempt from a previous incarnation of the website, pre Wix, that’s since been abandoned.

what would be a good http cat to use here: 410 ?

nestleToiletWater · November 29, 2022, 10:13pm

so maybe someone just forgot to change/turn off their DNS.

Nope. This has been my static IP for over a year and I’ve only seen this traffic in the last couple of weeks.

Maybe you could be nice and redirect there or try and contact them there on the “official” website

I did as per the original post.

Also, in response to the 5mins comment from @human_urostor, I waited a while before giving up and even now I still have no response.

I strongly suspect this is a domain squater but I reached out to the original website anyway. And quite frankly, Rick Astley is the least offence thing I could have redirected them too given the plethora of related unsuitable options. Although this post is primarily a joke at my expense, I did think that it would be a useful experience to share not only from a basic incident response side but also what to do if a domain squater/very lazy admin is filling up your logs.

But anyway… this was supposed to be a light hearted joke aimed almost entirely at myself. So please don’t take any of this too seriously

GigaBusterEXE · November 29, 2022, 10:20pm

The title is desperately missing a food pun involving spam