View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions How To Protect Against Malicious Google Search Console Verifications
Log in to Ask a Question

How To Protect Against Malicious Google Search Console Verifications

googlesearchconsole wnc-627102

I was hacked (sort of) yesterday. I was hacked because I left an A record for my domain pointing to an IP address that I no longer control. A Bad Actor (BA) spun up a server with my abandoned IP address and was able to claim ownership of that subdomain (host) at Google Search Console. This Google Search Console Forum Thread has more details and this Sucuri blog post goes into even more details about this type of hack.
My question is: How to prevent this from happening again (to me or others). Obviously the best answer is don't leave DNS records pointing to IPs you don't control. But what if you forget to delete the DNS record?
After notifying support yesterday, I learned that there are sites where BAs can go and find abandoned IPs that have DNS records pointing to them - YIKES. I'm not linking to them because I don't want to promote them and I don't think it's safe to visit them.

So what to do? The best answer I can come up with is to find a trusted site that provides the same information as the hacker site. Hopefully such a site exists and can, for a small fee, provide an API I can query to see if any of my domains are listed. Who would build it? How would I trust it? How would they get and maintain accurate information? All open questions.I'd love to see some suggestions and discussion. Maybe you have some other approach.

1 Reply

Can't quite answer your exact question about how to prevent but…

There are other ways to verify a site (as opposed to a domain): an html file and a meta tag.

If you have a site running on this IP (or can spin one up) you could use those.

On the "bad" IP which led to someone else having been able to verify your domain…

The way this works is anyone can start verification on any domain: the idea being that only the real owner would be able to complete the process.

Hopefully your DNS is now all good and proper and you should be able to complete a new verification - and then unverify the bad party (the are controls for this in webmaster tools console).

Finally if the IP is supposed to point to a sub-domain, I'd be sure to complete a DNS verification of the parent, as verification will "trickle down" from the parent on down

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct