So the big news this month in the world of top-level domains was the release of .zip. There was a lot of talk online about how malicious actors would only use this TLD for phishing campaigns.
I had 15 dollars to burn and an experiment in mind, so I went on Google Domains and purchased a very common domain. Now I'm not going to disclose the name of this domain as it will compromise the future results of this experiment, but I wanted to share what I found.
Now this is more than just a blank domain with nothing on it. I specifically programmed it so it returns 200 responses no matter the request sent, and the payload that returns is different depending on the endpoint you hit. I did this so that a mass vulnerability scan going out to the internet would be successful, and the attack would continue.
I also logged every complete request sent to the site and saved it to the logs. That's the whole site, completely useless, but that didn't stop almost 2,000 page views in the two weeks that the site was up.
So let's jump into the data. A total of 38 countries visited the website, with the top 5 being the United States, Germany, Canada, Russia, and the United Kingdom, respectively. However, if you remove just the root-level domain page visits, the top 3 countries are the United States, Russia, and Germany. This isn't surprising; however, the first malicious URL came from the US.
An average of 150-page hits happened daily, with a massive spike on the 22nd. Most of this comes from many hits to the site looking at environmental files, php information files, and a few Nmap scans.
I also included unique hits to the site. They stayed consistent from the day the site launched.
The part that really matters is the attacks. You can see from the list below that many page hits relate to low-hanging fruit. This includes environment files, a few path traversals, and Microsoft exchanges. I googled a few of the more specific paths, and they are for CVEs that date back as far as 2018.
I'll leave this site running to see what gets picked up. If you are interested in the comprehensive logs, please get in touch with me, and I will share them with you.
Comments