I generated 16 character (upper/lower) subdomain and set up a virtual host for it in Apache, and within an hour was seeing vulnerability scans.
How are folks digging this up? What’s the strategy to avoid this?
I am serving it all with a single wildcard SSL cert, if that’s relevant.
Thanks
Edit:
- I am using a single wildcard cert, with no subdomains attached/embedded/however those work
- I don’t have any subdomains registered with DNS.
- I attempted dig axfr example.com @ns1.example.com returned zone transfer DENIED
Edit 2: I’m left wondering, is there an apache endpoint that returns all configured virtual hosts?
Edit 3: I’m going to go through this hardening guide and try against with a new random subdomain https://www.tecmint.com/apache-security-tips/
if you use Let’s Encrypt (ACME protocol) AFAIK you can find all domains registered in a directory that even has a search, no matter if it’s wildcard or not.
It was something like this https://crt.sh/ but can’t find the site exactly anymore
LE: you can also find some here https://search.censys.io/
Holy shit, this has every cert I’ve ever generated or renewed since 2015.
Certificate Transparency makes public all issued certificates in the form of a distributed ledger, giving website owners and auditors the ability to detect and expose inappropriately issued certificates.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CA (SSL) Certificate Authority DNS Domain Name Service/System IP Internet Protocol SSL Secure Sockets Layer, for transparent encryption VPS Virtual Private Server (opposed to shared hosting)
5 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.
[Thread #990 for this comm, first seen 11th Jan 2026, 01:25] [FAQ] [Full list] [Contact] [Source code]
Good bot
Do post again if you figure it out!
Will do!
For anyone who needs to read it: At the end of the day this is obscurity, not security; however obscurity is a good secondary defense because it buys time.
I too would be interested to learn how this leaked
it’s not even obscurity; it’s logged publicly.
A long time ago, I turned a PC in my basement into a web server. No DNS. Just a static IP address. Within 15 minutes, the logs showed it was getting scanned.
SSL encrypts traffic in-transit. You need to set up auth/access control. Even better, stick it behind a Web Application Firewall.
Or set up a tunnel. Cloudflare offers a free one: https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/
We’re always watching.
Are you sure they’re hitting the hostname and not just the IP directly?
Shows up by name in the apache other_hosts…log, so yes
You say you have a wildcard cert but just to make sure: I don’t suppose you’ve used ACME for Letsencrypt or some other publicly trusted CA to issue a cert including the affected name? If so it will be public in Certificate Transparency Logs.
If not I’d do it again and closely log and monitor every packet leaving the box.
The random name is not in the public log. Someone else suggested that earlier. I checked CRT.sh and while my primary domain is there, the random one isn’t.
My next suspicion from what you’ve shared so far apart from what others suggested would be something out of the http server loop.
Have you used some free public DNS server and inadvertently queried it with the name from a container or something? Developer tooling building some app with analytics not disabled? Any locally connected AI agents having access to it?
I believe that some DNS servers are configured to allow zone transfers without any kind of authentication. While properly configured servers will whitelist the IPs of secondaries they trust, for those that don’t, hackers can simply request a zone transfer and get all subdomains at once.
I don’t have any subdomains registered with DNS.
I attempted
dig axfr example.com @ns1.example.comreturned zone transfer DENIED
Yeah, this is interesting, I’ll dig more into this direction.
But the randomly generated subdomain has never seen a DNS registrar.
I do have *.mydomain.com registered though…hmmm
Did you yourself make a request to it or just set it up and not check it? My horrifying guess it that if you use SNI in a request every server in the middle could read the subdomain and some system in the internet routing is untrustworthy.
Previous experiments, yes, I sent a request. The random one, no.
Scans from where? Is it exposed to the internet? What does the scan traffic look like?
Mostly from AWS or the like, with occasional Chinese and Russian origins.
The scans look like requests to various WordPress endpoints, JavaScript files associated with known vulnerabilities etc
@[email protected] are you generating certificates for each of the random subdomains?
Fitting that someone from an instance on a random subdomain commented on this lol
@[email protected] have you checked on https://crt.sh/ ?
As expected, it doesn’t show up. I had a couple of other subdomains configured before I switched to wildcard, but nothing matches the random one
I don’t think so? I have a letsencrypt wildcard cert, and reference that in the relevant .conf
deleted by creator
Even with a wildcard cert?
Yeah I’m not sure about that so I deleted the comment. But just try it out: install it and see what it shows you, and then work from that.
@[email protected] mmm wait your logs show the new domains being targeted specifically?
Yep. They show up in the other_hosts…log
Reverse DNS? Or vuln scans just hitting IPs. Don’t need DNS for that.
All the obvious things have been mentioned.
The only way to identify the problem is to share the exact steps youve followed and then others can reproduce.
Based on what youve told us, no one knows how the subdomain is leaked. Without meaning to be derisive, that suggests that something youve told us isn’t quite correct.
Well, the good news is that I at least think I’m doing all the right things.
I’ll spin up a new VM tomorrow and start from scratch.
