Abusing the Past

by Buanzo

Disclaimer:  If you do evil shit with this information, I hope something really bad happens to you.  Information is free, but people are human.

In this day and age, there are mass scanning tools and several easy-to-query databases that make it a simple thing to find sites with vulnerabilities.

Hackers and other agents with all hat-colors use them every day to do their jobs.

I will present to you today a very simple technique that will, when certain special circumstances are met, allow you to scan the past for vulnerabilities.

When we want to have a website, we obtain a [sub]domain name, point it to some web hosting server's IP, and configure it to serve that website.  We also get DNS service somehow.  I am sure you've done this before, so I'll skip those details.  So now, "www.example.com" is running on Server A.

Yay, we've got a website!  By the way, it is Joomla or some other CMS like WordPress, etc.

The days/months/years pass, and we find ourselves needing to move the website to another server, for whatever reason (luckily, because we have so many visits, the old server can't handle them).  The new website is configured on the new server, the DNS is updated, and voilà, visits now arrive at the new server.



If we go to Netcraft and check some domain name using their tools, we might find the hosting history of a website.  Yes, www.example.com used to run on Server A, then Server B, now Server C!

And, wow, that's weird, the old servers are still up and running.

So, www.example.com might still be configured in one of those servers.  You know how hosting companies [don't] do their homework sometimes!

So an attacker could fire up a scanner, and by any means available, target www.example.com through the older IP addresses, and scan our old website(s), which, of course, we no longer keep updated (maybe not even the server, for that matter...).

And you know what outdated usually means: holes.  Lots of them.

And holes lead to lots of things: remote code execution, data exfiltration, resource control.

An Nmap NSE script could be written to scan some domain name's hosting history, and, essentially, abuse the past.


Check your hosting history.

Don't say I did not warn you...