When internal hostnames are leaked to the clown

Posted by zdw 2 days ago

When internal hostnames are leaked to the clown(rachelbythebay.com)

442 points | 250 commentspage 3

notpushkin 1 day ago|

linhns 1 day ago||

Well somehow Rachel's website is not sending back any response now.

NitpickLawyer 2 days ago||

Not sure why they made the connection to sentry.io and not with CT logs. My first thought was that "*.some-subdomain." got added to the CT logs and someone is scanning *. with well known hosts, of which "nas" would be one. Curious if they have more insights into sentry.io leaking and where does it leak to...

jraph 2 days ago||

That hypothesis seems less likely and more complicated than the sentry one.

Scanning wildcards for well-known subdomains seems both quite specific and rather costly for unclear benefits.

flexagoon 1 day ago||

Bots regularly try to bruteforce domain paths to find things like /wp-admin, bruteforcing subdomains isn't any more complicated

jraph 1 day ago||

> Bots regularly try to bruteforce domain paths to find things like /wp-admin

Sure, when WordPress powers 45% of all websites, your odds to reach something by hitting /wp-admin are high.

The space of all the possible unknown subdomains is way bigger than a few well known paths you can attack.

imtringued 2 days ago|||

Because sentry.io is a commercial application monitoring tool which has zero incentive to any kind of application monitoring on non-paying customers. That's just costs without benefits.

You now have to argue that a random third party is using and therefore paying sentry.io to do monitoring of random subdomains for the dubious benefit of knowing that the domain exists even though they are paying for something that is way more expensive.

It's far more likely that the NAS vendor integrated sentry.io into the web interface and sentry.io is simply trying to communicate with monitoring endpoints that are part of said integration.

From the perspective of the NAS vendor, the benefits of analytics are obvious. Since there is no central NAS server where all the logs are gathered, they would have to ask users to send the error logs manually which is unreliable. Instead of waiting for users to report errors, the NAS vendor decided to be proactive and send error logs to a central service.

rawling 2 days ago|||

I feel like the author would have noticed and said so if she was getting logs for more than just the one host.

A1kmm 2 days ago||

But she mentioned: 1) it isn't in DNS only /etc/hosts and 2) they are making a connection to it. So they'd need to get the IP address to connect to from somewhere as well.

jeroenhd 2 days ago|||

From the article:

> You're able to see this because you set up a wildcard DNS entry for the whole ".nothing-special.whatever.example.com" space pointing at a machine you control just in case something leaks. And, well, something did* leak.

They don't need the IP address itself, it sounds like they're not even connecting to the same host.

bardsore 2 days ago|||

Unless she hosts her own cert authority or is using a self-signed cert, the wildcard cert she mentions is visible to the public on sites such as https://crt.sh/.

heipei 1 day ago||

Yes, the wildcard cert, but not the actual hostname under that wildcard.

ranger_danger 2 days ago||

Pennywise found my hostname? We're cooked.

defrost 2 days ago||

You're IT, I'm IT, We're all IT.

bonesss 2 days ago||

We all use floats down here.

ahoka 1 day ago||

For representing monetary values.

TeapotNotKettle 2 days ago||

Misconfigured clown - bad news indeed.

HocusLocus 1 day ago||

The Clown is my master

I've been chosen!

Eeeeeeeeeah!

cwillu 1 day ago||

Just getting 404 not found

rcakebread 1 day ago||

TIL Rachel uses a Mac.

audience_mem 1 day ago|

How do you know?

JSR_FDED 1 day ago||

Little Snitch?

dcrazy 2 days ago||

Slightly surprised that this blog seems to have succumbed to inbound traffic.

unsnap_biceps 2 days ago||

If you're on an apple device, disable private relay. It appears the blog has tar pitted private relay traffic.

bhaney 2 days ago||

It's tar pitting my normal unproxied residential traffic too

computerfriend 2 days ago||

Same, plus my VPN connection.

alyandon 1 day ago||

Same here too. Ironically, the blog is accessible over TOR for me.

that_lurker 2 days ago|||

Opens fine for me

urbandw311er 2 days ago||

“Works on my machine”

daveoc64 1 day ago||

Rachel has blogged quite a bit about blocking badly behaved RSS Clients in recent years.

I'd link you to one of the articles if I wasn't blocked too, and my VPN wasn't also blocked!

lapcat 1 day ago||

> Rachel has blogged quite a bit about blocking badly behaved RSS Clients in recent years.

Unfortunately that blocking is buggy and overzealous.

I just gave up eventually and unsubscribed from the RSS feed.

ck2 1 day ago||

that's actually a great spy trap idea, no?

create an impossible internal hostname and watch for it to come back to you

you don't even need a real TLD if I am not mistaken, use .ZZZ etc

happyopossum 1 day ago|

> you don't even need a real TLD if I am not mistaken, use .ZZZ etc

if it's not a real TLD, you won't ever see the dns requests coming to you...

draw_down 1 day ago|

[dead]

More comments...