question

James-2077 avatar image
0 Votes"
James-2077 asked brtrach-MSFT commented

Azure App: stopped & deleted app hacked months later

Hello,

The blog component of our site (blog.abc.com) was run as a wordpress app in Azure, but eventually discontinued and the app deleted in azure portal. Now, maybe 6 months later, received a Google search console message that the site has been hacked.

Visiting blog.abc.com goes to a default azure page "your app service is up and running. Time to take the next step and deploy your code." But somehow the hacker has inserted pages like blog.abc.com/1.html

Since I deleted the app I can't access it in azure portal. The old ftp credentials I had don't work so I can't even look at what's been uploaded.

Any ideas on what to do appreciated.

Thanks,
James

azure-webappsazure-security-centerazure-webapps-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We have reached out to the original poster via private message. If the community has further input, please share it.

0 Votes 0 ·

1 Answer

James-2077 avatar image
1 Vote"
James-2077 answered brtrach-MSFT commented

Thanks to MSFT support for quickly investigating this for me.

A follow-up for anyone following. This was not a hack, rather a "Subdomain takeover". If you delete an app associated with a subdomain on your site, but you don't delete the DNS cname record that points to the url of the deleted app, it's possible for a "threat actor" to detect the dangling cname, and re-provision the app at the same azure url that you were previously using, thereby hijacking your subdomain.

This article explains the issue and what can be done to prevent it from happening:

https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We are happy to hear you were able to receive an answer to this matter. We appreciate you taking the time to share the resolution with the community.

0 Votes 0 ·