Possible DNS Injection and/or SSL hijack?
- by Anthony
So if I go to my site without indicating the protocol, I'm taken to:
http://example.org/test.php
But if I go directly to:
https://example.org/test.php
I get a 404 back.
If I go to just:
https://example.org
I get a totally different site (a page about martial arts).
I went to the site via https not very long ago (maybe a week?) and it was fine.
This is a shared server, as I understand it, and I do not have shell access, so I'm limited to the site's CPanel to do any further investigations. But when I go to:
example.org:2083
I'm taken to https://example.org:2083, which, if someone has taken over the SSL port, could mean they have taken over the 2083 part as well (at least in my paranoid mind). I'm made more nervous by the fact that the cpanel login page at the above address looks very new (better, really) compared to the last time I went to it over the weekend.
It's possible that wires got crossed somewhere after a system update, but I don't want to put in my name username and password in case it's a phishing attempt.
Is there any way to know for sure without shell access to know for sure if someone has taken over?
If I look up the IP address for the host name, the IP address matches what I have on a phpinfo page I can get to over http. If I go to the IP address directly on port 2083, I get the same login mentioned above (new and and suspiciously nice). But the SSL cert shows as good when I go this route. So if that's the case (I know the IP is right, the cert checks out, and there isn't any DNS involved), is that enough to feel safe at that point of entry?
Finally, if I can safely log in via the IP, does anyone have any advice on where to check first on CPanel for why the SSL port is forwarding to a site on karate?
Thanks.
