Author Topic: Untrusted site?  (Read 1045 times)

0 Members and 1 Guest are viewing this topic.

Offline DR M

  • Hero Member
  • *****
  • Posts: 1181
  • Press any key to continue!
    • View Profile
Untrusted site?
« on: May 19, 2017, 11:50:53 AM »
Hello!!

I'm trying to get into my team's website (https://anorthosis24.net/) and I'm getting this warning for untrusted site (see attachment).

It's the first time this is happening and I find it strange.

Would it be a problem to continue or the page has been hacked or something similar?

''There is no happiness where there is no wisdom...'' (Sophocles, Antigone)

Offline satrow

  • LzD Friends
  • Full Member
  • *****
  • Posts: 165
    • View Profile
Re: Untrusted site?
« Reply #1 on: May 19, 2017, 11:56:28 AM »
The address redirects to https://codingninjas.io, which is the name on the certificate.

It could well be a hijack.

Offline DR M

  • Hero Member
  • *****
  • Posts: 1181
  • Press any key to continue!
    • View Profile
Re: Untrusted site?
« Reply #2 on: May 19, 2017, 12:00:46 PM »
The address redirects to https://codingninjas.io, which is the name on the certificate.

It could well be a hijack.

I ... got a little scared when I clicked on the address above, seeing the clock counting down!

What do you mean that it redirects to that page? Can you please give me some more info? I don't see any redirection.

''There is no happiness where there is no wisdom...'' (Sophocles, Antigone)

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 507
    • View Profile
Re: Untrusted site?
« Reply #3 on: May 19, 2017, 12:49:58 PM »
I tried the link and got this message

There is a problem with this website’s security certificate.

Could be the certificate is out of date
Win 7 Home Premium  IE11 MSE Mbam Pro

Offline satrow

  • LzD Friends
  • Full Member
  • *****
  • Posts: 165
    • View Profile
Re: Untrusted site?
« Reply #4 on: May 19, 2017, 01:18:06 PM »
As soon as you temporarily accept the 'bad' certificate at https://anorthosis24.net/, you are redirected to https://codingninjas.io/

It's not a bad date on the cert., it's that the ownership doesn't match the name on the 'new' cert.

Has the domain expired and been bought by someone else?


Offline satrow

  • LzD Friends
  • Full Member
  • *****
  • Posts: 165
    • View Profile
Re: Untrusted site?
« Reply #5 on: May 19, 2017, 01:31:18 PM »
This is outside of my comfort zone, so I used Nirsoft's DomainHostingView to gather some info (I really don't understand much of the output below but my gut feeling is a hack):

Quote
Domain report for anorthosis24.net
Created by using DomainHostingView

Summary Information
Domain is registered with godaddy.com
Domain is registered to Domains By Proxy, LLC
This domain is protected by privacy service, so you don't see the real registrant name.
Web site is hosted by Server Block, Germany
Mail Server is hosted by Google Inc., USA - California
Domain Name Server (DNS) is hosted by Cloudflare, Inc., USA - California
Domain was created on 12/09/2012
Domain expires on 12/09/2017
This domain uses the Gmail service of Google to send and receive emails.
Web server string: nginx
Mail server string: 220 mx.google.com ESMTP n123si10026013wmn.77 - gsmtp
DNS Records
Record Type  Host Name  IP Address  More Data  Section 
NS  cortney.ns.cloudflare.com  173.245.58.87     Answer 
NS  zod.ns.cloudflare.com  173.245.59.250     Answer 
MX  alt3.aspmx.l.google.com  74.125.203.26  Preference: 10  Answer 
MX  alt4.aspmx.l.google.com  74.125.28.26  Preference: 10  Answer 
MX  alt1.aspmx.l.google.com  64.233.164.26  Preference: 5  Answer 
MX  aspmx.l.google.com  74.125.133.26  Preference: 1  Answer 
MX  alt2.aspmx.l.google.com  74.125.130.26  Preference: 5  Answer 
A  anorthosis24.net  148.251.128.211     Answer 
SOA  cortney.ns.cloudflare.com  173.245.58.87  Admin: dns.cloudflare.com, Default TTL: 3600, Expire: 604800, Refresh: 10000, Retry: 2400, Serial: 2024685615  Answer 
TEXT        google-site-verification=1fMv3Pklkq1PnSDGXh9j22lK9k_5jprgvRqLy2m-0rg  Answer 
TEXT        v=spf1 include:mailgun.org ~all  Answer 
PTR  cortney.ns.cloudflare.com  173.245.58.87     Answer 
PTR  zod.ns.cloudflare.com  173.245.59.250     Answer 
PTR  th-in-f26.1e100.net  66.102.12.26     Answer 
PTR  pc-in-f26.1e100.net  66.102.12.26     Answer 
PTR  lf-in-f26.1e100.net  66.102.12.26     Answer 
PTR  wo-in-f26.1e100.net  66.102.12.26     Answer 
PTR  sb-in-f26.1e100.net  66.102.12.26     Answer 
PTR  static.211.128.251.148.clients.your-server.de  148.251.128.211     Answer 

IP Addresses Information
Address Type  IP Address  Country  Network Name  Owner Name  From IP  To IP  CIDR  Contact Name  Address  Email  Abuse Email  Phone  Fax  Whois Source 
Web Server  148.251.128.211  Germany  HETZNER-RZ-BLK-ERX2  Server Block  148.251.0.0  148.251.255.255  148.251.0.0/16  Hetzner Online GmbH - Contact Role  Hetzner Online GmbH, Industriestrasse 25, D-91710 Gunzenhausen, Germany  ripe@hetzner.de  abuse@hetzner.de  +49 9831 505-0  +49 9831 505-3  RIPE NCC 
Mail Server  74.125.133.26  USA - California  GOOGLE  Google Inc.  74.125.0.0  74.125.255.255  74.125.0.0/16  Google Inc.  1600 Amphitheatre Parkway, Mountain View  arin-contact@google.com  network-abuse@google.com  +1-650-253-0000     ARIN 
Domain Name Server  173.245.58.87  USA - California  CLOUDFLARENET  Cloudflare, Inc.  173.245.48.0  173.245.63.255  173.245.48.0/20  Cloudflare, Inc.  101 Townsend Street, San Francisco  admin@cloudflare.com  abuse@cloudflare.com  +1-650-319-8930     ARIN 

Raw Domain Information
Domain ID: 1744539751_DOMAIN_NET-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2016-09-13T13:23:49Z
Creation Date: 2012-09-12T19:30:00Z
Registrar Registration Expiration Date: 2017-09-12T19:30:00Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: Not Available From Registry
Registrant Name: Registration Private
Registrant Organization: Domains By Proxy, LLC
Registrant Street: DomainsByProxy.com
Registrant Street: 14455 N. Hayden Road
Registrant City: Scottsdale
Registrant State/Province: Arizona
Registrant Postal Code: 85260
Registrant Country: US
Registrant Phone: +1.4806242599
Registrant Phone Ext:
Registrant Fax: +1.4806242598
Registrant Fax Ext:
Registrant Email: ANORTHOSIS24.NET@domainsbyproxy.com
Registry Admin ID: Not Available From Registry
Admin Name: Registration Private
Admin Organization: Domains By Proxy, LLC
Admin Street: DomainsByProxy.com
Admin Street: 14455 N. Hayden Road
Admin City: Scottsdale
Admin State/Province: Arizona
Admin Postal Code: 85260
Admin Country: US
Admin Phone: +1.4806242599
Admin Phone Ext:
Admin Fax: +1.4806242598
Admin Fax Ext:
Admin Email: ANORTHOSIS24.NET@domainsbyproxy.com
Registry Tech ID: Not Available From Registry
Tech Name: Registration Private
Tech Organization: Domains By Proxy, LLC
Tech Street: DomainsByProxy.com
Tech Street: 14455 N. Hayden Road
Tech City: Scottsdale
Tech State/Province: Arizona
Tech Postal Code: 85260
Tech Country: US
Tech Phone: +1.4806242599
Tech Phone Ext:
Tech Fax: +1.4806242598
Tech Fax Ext:
Tech Email: ANORTHOSIS24.NET@domainsbyproxy.com
Name Server: CORTNEY.NS.CLOUDFLARE.COM
Name Server: ZOD.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2017-05-19T14:00:00Z <<<

For more information on Whois status codes, please visit https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

****************************************************
See Business Registration Listing
****************************************************
Copy and paste the link below to view additional details:
http://who.godaddy.com/whoischeck.aspx?domain=ANORTHOSIS24.NET

The data contained in GoDaddy.com, LLC's WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy.  This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, LLC.  By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.  In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam.  You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" section.  In most cases, GoDaddy.com, LLC
is not the registrant of domain names listed in this database.

Web Server IP Address Information
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '148.251.0.0 - 148.251.255.255'

% No abuse contact registered for 148.251.0.0 - 148.251.255.255

inetnum:        148.251.0.0 - 148.251.255.255
netname:        HETZNER-RZ-BLK-ERX2
descr:          Server Block
country:        DE
admin-c:        HOAC1-RIPE
tech-c:         HOAC1-RIPE
status:         LEGACY
remarks:        For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
mnt-by:         HOS-GUN
mnt-lower:      HOS-GUN
mnt-routes:     HOS-GUN
mnt-domains:    HOS-GUN
created:        2003-10-03T10:32:52Z
last-modified:  2015-05-05T01:43:20Z
source:         RIPE

role:           Hetzner Online GmbH - Contact Role
address:        Hetzner Online GmbH
address:        Industriestrasse 25
address:        D-91710 Gunzenhausen
address:        Germany
phone:          +49 9831 505-0
fax-no:         +49 9831 505-3
e-mail:         ripe@hetzner.de
abuse-mailbox:  abuse@hetzner.de
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        * abuse@hetzner.de, not this address. *
remarks:        * The contents of your abuse email will be *
remarks:        * forwarded directly on to our client for *
remarks:        * handling. *
remarks:        *************************************************
remarks:
remarks:        *************************************************
remarks:        * Any questions on Peering please send to *
remarks:        * peering@hetzner.de *
remarks:        *************************************************
org:            ORG-HOA1-RIPE
admin-c:        MH375-RIPE
tech-c:         GM834-RIPE
tech-c:         SK2374-RIPE
tech-c:         TF2013-RIPE
tech-c:         MF1400-RIPE
tech-c:         SK8441-RIPE
nic-hdl:        HOAC1-RIPE
notify:         ripe-mntner@hetzner.de
mnt-by:         HOS-GUN
created:        2004-08-12T09:40:20Z
last-modified:  2015-08-06T09:39:14Z
source:         RIPE

% Information related to '148.251.0.0/16AS24940'

route:          148.251.0.0/16
descr:          HETZNER-RZ-BLK-ERX2
origin:         AS24940
org:            ORG-HOA1-RIPE
mnt-by:         HOS-GUN
created:        2012-12-18T08:05:59Z
last-modified:  2012-12-24T09:10:22Z
source:         RIPE

organisation:   ORG-HOA1-RIPE
org-name:       Hetzner Online GmbH
org-type:       LIR
address:        Industriestrasse 25
address:        D-91710
address:        Gunzenhausen
address:        GERMANY
phone:          +49 9831 5050
fax-no:         +49 9831 5053
e-mail:         info@hetzner.de
admin-c:        TF2013-RIPE
admin-c:        MF1400-RIPE
admin-c:        GM834-RIPE
admin-c:        HOAC1-RIPE
admin-c:        MH375-RIPE
admin-c:        SK2374-RIPE
admin-c:        SK8441-RIPE
abuse-c:        HOAC1-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        HOS-GUN
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         HOS-GUN
created:        2004-04-17T11:07:58Z
last-modified:  2016-08-25T13:26:09Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.88.1 (BLAARKOP)



Mail Server IP Address Information
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=74.125.133.26?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       74.125.0.0 - 74.125.255.255
CIDR:           74.125.0.0/16
NetName:        GOOGLE
NetHandle:      NET-74-125-0-0-1
Parent:         NET74 (NET-74-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       
Organization:   Google Inc. (GOGL)
RegDate:        2007-03-13
Updated:        2012-02-24
Ref:            https://whois.arin.net/rest/net/NET-74-125-0-0-1



OrgName:        Google Inc.
OrgId:          GOGL
Address:        1600 Amphitheatre Parkway
City:           Mountain View
StateProv:      CA
PostalCode:     94043
Country:        US
RegDate:        2000-03-30
Updated:        2017-01-28
Ref:            https://whois.arin.net/rest/org/GOGL


OrgTechHandle: ZG39-ARIN
OrgTechName:   Google Inc
OrgTechPhone:  +1-650-253-0000
OrgTechEmail:  arin-contact@google.com
OrgTechRef:    https://whois.arin.net/rest/poc/ZG39-ARIN

OrgAbuseHandle: ABUSE5250-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-253-0000
OrgAbuseEmail:  network-abuse@google.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE5250-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


Name Server IP Address Information
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=173.245.58.87?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       173.245.48.0 - 173.245.63.255
CIDR:           173.245.48.0/20
NetName:        CLOUDFLARENET
NetHandle:      NET-173-245-48-0-1
Parent:         NET173 (NET-173-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS13335
Organization:   Cloudflare, Inc. (CLOUD14)
RegDate:        2010-12-28
Updated:        2017-02-17
Comment:        All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref:            https://whois.arin.net/rest/net/NET-173-245-48-0-1



OrgName:        Cloudflare, Inc.
OrgId:          CLOUD14
Address:        101 Townsend Street
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2010-07-09
Updated:        2017-02-17
Comment:        All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref:            https://whois.arin.net/rest/org/CLOUD14


OrgAbuseHandle: ABUSE2916-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-319-8930
OrgAbuseEmail:  abuse@cloudflare.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE2916-ARIN

OrgNOCHandle: NOC11962-ARIN
OrgNOCName:   NOC
OrgNOCPhone:  +1-650-319-8930
OrgNOCEmail:  noc@cloudflare.com
OrgNOCRef:    https://whois.arin.net/rest/poc/NOC11962-ARIN

OrgTechHandle: ADMIN2521-ARIN
OrgTechName:   Admin
OrgTechPhone:  +1-650-319-8930
OrgTechEmail:  admin@cloudflare.com
OrgTechRef:    https://whois.arin.net/rest/poc/ADMIN2521-ARIN

RAbuseHandle: ABUSE2916-ARIN
RAbuseName:   Abuse
RAbusePhone:  +1-650-319-8930
RAbuseEmail:  abuse@cloudflare.com
RAbuseRef:    https://whois.arin.net/rest/poc/ABUSE2916-ARIN

RNOCHandle: NOC11962-ARIN
RNOCName:   NOC
RNOCPhone:  +1-650-319-8930
RNOCEmail:  noc@cloudflare.com
RNOCRef:    https://whois.arin.net/rest/poc/NOC11962-ARIN

RTechHandle: ADMIN2521-ARIN
RTechName:   Admin
RTechPhone:  +1-650-319-8930
RTechEmail:  admin@cloudflare.com
RTechRef:    https://whois.arin.net/rest/poc/ADMIN2521-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#



Offline Digerati

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 764
    • View Profile
Re: Untrusted site?
« Reply #6 on: May 19, 2017, 03:15:43 PM »
FTR, I get similar errors with FF, IE and Chrome as well as PM. That domain report says it expires 12/09/2017 so it is not it.

I would ask the person on your team who registered the domain with GoDaddy to contact GoDaddy to see if they can help.
Bill (AFE7Ret)
Freedom is NOT Free!
2007 - 2018

Offline DR M

  • Hero Member
  • *****
  • Posts: 1181
  • Press any key to continue!
    • View Profile
Re: Untrusted site?
« Reply #7 on: May 19, 2017, 06:02:44 PM »
Thanks for all this information!

Yes, it's probably a hack. A member of the team's council said on the radio that they are trying to fix the problem. What a mess... My question is, how can a site get into such a trouble? Whose fault is it?
''There is no happiness where there is no wisdom...'' (Sophocles, Antigone)

Offline satrow

  • LzD Friends
  • Full Member
  • *****
  • Posts: 165
    • View Profile
Re: Untrusted site?
« Reply #8 on: May 19, 2017, 06:20:17 PM »
If it was hacked then it most probably happened via an unpatched vulnerability in a software/plugin used to create/host the site.

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 507
    • View Profile
Re: Untrusted site?
« Reply #9 on: May 20, 2017, 08:02:35 AM »
Link is working fine now
Win 7 Home Premium  IE11 MSE Mbam Pro

Offline DR M

  • Hero Member
  • *****
  • Posts: 1181
  • Press any key to continue!
    • View Profile
Re: Untrusted site?
« Reply #10 on: May 20, 2017, 10:05:33 AM »
Link is working fine now

Yes. It's OK now.  :)
''There is no happiness where there is no wisdom...'' (Sophocles, Antigone)

Offline Digerati

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 764
    • View Profile
Re: Untrusted site?
« Reply #11 on: May 20, 2017, 12:49:54 PM »
Quote
My question is, how can a site get into such a trouble? Whose fault is it?
I am glad it is sorted out now.

As for "how" and "who", without knowing "what" was wrong and "what" they did to fix it, we cannot tell how it happened or who was at fault. I agree with satrow it sure could have been an unpatched vulnerability at the core, but then what? Did a bad guy exploit it? Or did some security feature suddenly discover it? I mean it seems likely an unpatched vulnerability was probably there for awhile, so why the error now?

Or maybe the site software was just upgraded/revised and a new exposed vulnerability was introduced, or the certificate information was changed for some reason and not properly updated where needed.

Again, without knowing what was wrong, we cannot tell.

Perhaps the site admin was not careful with the password or used a weak password and it was hacked that way to be malicious, or just mischievous.

My guess is, you will never know what happened, how it happened or who did it.
Bill (AFE7Ret)
Freedom is NOT Free!
2007 - 2018