Consuming ASP NET Web Service in AngularJS using $http
A company I used to work for has just contacted me to say that when they navigate to their web application's url, they see the following:
Test Diese Maschine ist ein Microsoft-IIS/10.0 System £22.00 01/12/2017 04:52:04
A quick search on your favourite search engine for
Diese Maschine ist ein microsoft-iis yields pages and pages of this exact template. There is nothing in the html returned that gives anything away, nor in the returned http headers. This is on an http connection, not https. There are no results that talk about what this is, why it happens, or what to do about it.
There are no clues here to what is going on. I'm slowly stepping through root causing it, but at the very least I thought it would be useful to see if anyone here knows where this text comes from, and to have an answer on security.stackexchange.com that might start to show up in the search engine results for people equally perplexed by this in the future.
Does anyone know what this SHTEMPLATE2016 page is about? Is this a common piece of malware? What attack(s) is this related/correlated to, if any? Does anyone know anything at all about this?
This is not malware (apologies for initially thinking it was and posting here). 1&1 had an issue last night and have lost DNS settings on thousands of domains. The engineer we spoke to wasn't even able to confirm they would be able to restore these settings.
- 2 This looks like a generic test page that can be used for checking connectivity and such. It’s German for „this machine is a Microsoft IIS“, btw.
- @bejeb Useless questions are the ones that you refuse to accept the answer to despite the evidence. If you do find the answer to this, I'd encourage you to answer your own question and mark it as answered so others in the same situation can learn from your experience.
- @baldPrussian not if it is not security-related
- 1 @schroeder had it right: lots of 1&1 domains, even those registered there but hosted elsewhere, got redirected to a default template page somewhere in 1&1 due to a DNS issue. Thank you to whomever migrated this to webmasters as well, this is a far better place for the question.
When using my favourite search engine, I looked up a sample of those 3,190 pages with this template, and discovered they were all hosted by the same company: 1&1 Internet SE
https://www.tcpiputils.com/browse/domain/huffhouse.com https://www.tcpiputils.com/browse/domain/hinton.org https://www.tcpiputils.com/browse/domain/biplastic.com https://www.tcpiputils.com/browse/domain/widowshome.com https://www.tcpiputils.com/browse/domain/roadwarrior365.com https://www.tcpiputils.com/browse/domain/9-muses.com
It looks like a template page for this hoster.
- That's interesting - their domain registration and dns is hosted by 1and1, but the servers are hosted elsewhere. Also interesting is that the IP address for the site in question seems to have been altered recently in DNS - it is not what I think it should be. This could be as simple as a 1and1 thing, and nothing to do with security.
- 1&1 had an issue last night and have lost DNS settings on thousands of domains and lots of customers. So not malware after all. Sorry to waste your time ... thanks for your help.
- nice of them to have contacted their customers ...