
Subdomain hack associated with a removed S3 bucket - holdenc
tldr;
If you delete an S3 bucket with a subdomain name, you need to delete the DNS record that points to it, or the missing bucket may be recreated by someone else, and used to host bad content at your subdomain.<p>Timeline:<p>- Received a message from Google Search Console that a new user has been verified for to-be-hacked.my-company.com.<p>- Looked in Google Search Console, but no new users exist.  However, a new site map was submitted for:
to-be-hacked.my-company.com&#x2F;sitemap.xml
This is filled with spam pages.  The hacker apparently recreated the missing S3 bucket in their own account, and used this to verify the domain ownership with Google Search Console and then host the sitemap.xml filled with spam content.  The spam content is also hosted in the bucket at to-be-hacked.my-company.com.
======
gtsteve
Interesting, thanks. I guess I didn't consider it because I've never deleted a
S3 bucket. We've got a few S3 buckets used in that way, I'll make sure our
guys know never to delete them.

~~~
holdenc
Yeah, apparently it's a known vector:
[https://hackerone.com/reports/121461](https://hackerone.com/reports/121461)

------
k4ch0w
Very common attack. It's called a subdomain takeover.

