Why do I have 25 subdomains for my site in The Hub??

When going into The Hub I was surprised to find 25 subdomains to my site which I certainly never set up or added.

For example:
bitcoin.bjorn3d.com
started.bjorn3d.com
stadium.bjorn3d.com
and so on

They all go to my site of course but they are treated as separate sites in The Hub and I certainly never set up these. What is going on here?

  • Adam Czajczyk

    Hello SwedBear,

    I hope you're well today and thank you for your question!

    I can see a lot of these domain registered with your account indeed. Your main site seems to be a single WordPress install (if these were sub-domains of Multisite they wouldn't be registered separately) and actually it seems that these sub-domains are active and some of them have WordPresses set there.

    In my opinion your server might have been "hacked" or somehow the site has been compromised. I didn't risk. Can you check your server using cPanel and/or FTP and confirm that there are indeed these site's installed?

    Have you already contacted your host asking them to check server logs and help you secure the server? That would be well worth giving a try as it looks quite serious (if these are not your domains).

    Additionally, I would suggest removing all those sites that are not yours from The Hub and then also - just in case - changing your WPMU DEV account password.

    The most essential part though is to check the server for these sites and see what host staff would tell you (they are able to check different logs that you may not be able to) about what could happen there.

    Let me know please what they said!

    Best regards,
    Adam

  • SwedBear

    Actually those are not "real" sites. I have full control over my server (host it on Digital ocean via ServerPilot) and those subdomains simply do not exist as real separate sites. However, the server will show the main site, http://www.bjorn3d.com, when accessing it via a subdomain that doesn't work. the only real subdomain I have set up is images.bjorn3d.com.

    The reason The Hub thinks there is Wordpress on it is because it gets the response from the main site instead.

    I'm using a Last Pass random generated password for WPMUDev and have changed it. It is a password not used anywhere else so no one should be able to "hack" it via an old leaked password. I also updated my api key just to be sure.

    The only thing I could think of is that they log into Wordpress via a non-existing subdomain and then "activate" WMPUDev again so it "thinks" it is a new domain?

    I checked my logs and cannot see any unauthorized logins but I made sure to change all passwords anywhere.

    I will remove them now and keep an eye out but it feels a bit weird that they just popped up.

  • Dimitris

    Hey there SwedBear,

    hope you're doing good and don't mind chiming in here! :slight_smile:

    It seems that other subdomains are installed in another server as they resolve to another IP address!! Could you please confirm this?

    PING bjorn3d.com (104.24.18.10)
    PING images.bjorn3d.com (104.24.18.10)
    
    PING usa.bjorn3d.com (159.203.221.196)
    PING pixels.bjorn3d.com (159.203.221.196)

    I'd strongly advise to change your passwords in every single service that you use. :wink:

    You could also double check wp-config.php file that does not include any lines like the following

    define('WP_SITEURL', 'http://' . $_SERVER['HTTP_HOST']);
    define('WP_HOME', 'http://' . $_SERVER['HTTP_HOST']);

    which would result in a dynamically changed site_url() to be whatever is requested, even though I don't think that's the issue here.

    Warm regards,
    Dimitris

  • SwedBear

    Hi,
    thanks for your suggestions. The reason there are two different IP's is purely due to Cloudflare which I use. The 104.24.18.10-IP is a Cloudflare IP and the traffic goes through there first before heading to my site. The 159.- Ip is the actual IP of my server and it just shows that the traffic for those "fake" domains are going directly to the site. I'm going to check out in Cloudflare DNS how to make sure these also will be handled by Cloudflare instead of just letting the traffic pass through.

  • Dimitris

    Hey there SwedBear,

    I trust you're doing good today! :slight_smile:

    I really appreciate the feedback here.
    Please let us know for any feedback/insights you may have from your Cloudflare's side.

    On the other hand, I can still see a lot of domains connected with your account here in WPMUDEV.
    Wouldn't you delete those from your Hub Websites page? This may be another way to check if those are still getting re-generated somehow. :thinking:

    Take care,
    Dimitris

  • SwedBear

    Hi,

    I'm actually curious how domains are added to The Hub. I've made sure all passwords are new LastPass generated ones and I also monitor logins both to Wordpress and my servers + use your Defender to lock out/IP-ban failed logins so I am not worried the site was hacked using passwords.

    Serverpilot, which I use to run the site on a DigitalOcean droplet, automatically sends a non-existing sub-domain to the "first" site on the server which was bjorn3d.com. So that was why the "fake" sub-domains still kind of work (you get a security error as the SSL cert did not cover those subdomains).

    I noticed that these rogue domains kept appearing. For example, from yesterday evening to today a new one appeared: gymit.bjorn3d.com. And yes, I've been removing them.

    My question simply is - is it enough that you can access a site with a sub-domain to get the plugin to add that sub-domain to The Hub? So because ServerPilot gave the main site when accessing the fake domains they were added when a user visited using it?

    I've updated ServerPilot so it gives an empty "default" site now when a non-existing subdomain is accessed to see if that fixes the issue. Later I will set up a redirect there to the main site.

  • Adam Czajczyk

    Hello SwedBear!

    This is how new sites are added to The Hub:

    - a WPMU DEV Dashboard plugin is installed on the site
    - the plugin has to be logged in into WPMU DEV member account using member's login and password
    - the plugin connects to The Hub

    then some additional things happen

    - the domain added is the one that is defined in WP settings as the main site domain; in case of regular, single WP it's the domain used for installation and in case of multisite it's also a domain used for installation which is also the domain for the main site of the multisite network

    - the domain that's added is being checked and if it has been registered before with another account, it's not being added

    - while WPMU DEV Dashboard can be installed on multiple (separate!) sites on the same server (so multiple WordPress installs, regardless whether they are under top level domains, sub-domains or in sub-folders) it cannot be separately installed on multiple sub-sites of Multisite (there's always only one WPMU DEV Dashboard per multisite)

    - no site is added to The Hub if there's no active and logged in WPMU DEV Dashboard plugin on it

    Any "wild card" configuration and/or server-level redirects from a non-existent (sub)domain shouldn't cause that domain to be added.

    Having that said, I admit I'm a bit stuck with the case. Three options that come to my mind are:

    - your server/site has been somehow hacked (though you essentially ruled that out, so it's most likely not that)

    - we are all missing something important here

    - or there's some undiscovered (yet) glitch in our system

    I'm sure though that there is a logical explanation for this and a solution so I have asked guys behind The Hub development for some help on this. They're a bit busy with updates so please be aware that it may take some time for them to respond but I believe they'll be able to give us a helping hand on this.

    Please keep an eye on this thread and I'll update it as soon as I get to know something more about that.

    Kind regards,
    Adam

  • Adam Czajczyk

    Hello again SwedBear!

    Luckily I got some information nearly instantly so I'm passing it to your. It seems that what you did to your install recently may help so let's see how that performs and if it fixes the issue.

    It looks like the way it was setup before - the fact that no matter what you put in front of the top domain ("made up sub-domains") it is loading your site like it was the proper domain for the site (so it's not a simple redirect but WordPress actually "thinks" it's the right domain), that may indeed cause issues.

    It's now not loading the site that way so it should let you remove those "made up" domains and let's see how it works.

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.