My github pages seem to have been hacked, but I can't figure out how.

[rahulgopinath]

Select Topic Area

Question

Body

I have a site at rahul.gopinath.org hosted at github pages under https://github.com/rahulgopinath/rahulgopinath.github.io
I own the DNS for gopinath.org, and I had CNAME proxied rahul.gopinath.org to rahulgopinath.github.io and www to rahul.gopinath.org.

Just yesterday I got several notifications stating that an additional owner was added to google search console. However, on clicking Manage Users, there was no new users added. Today I found that www.gopinath.org was being served a different page when connected.

| nc  172.67.160.78 80
GET / HTTP/1.1
Host: rahul.gopinath.org

HTTP/1.1 200 OK
Date: Wed, 31 Jan 2024 07:36:51 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 25 Jan 2024 03:23:40 GMT
Access-Control-Allow-Origin: *
expires: Wed, 31 Jan 2024 07:46:51 GMT
Cache-Control: max-age=600
x-proxy-cache: MISS
X-GitHub-Request-Id: EE22:398844:5B52DA:66971D:65B9F892
Via: 1.1 varnish
Age: 0
X-Served-By: cache-qpg1251-QPG
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1706686611.902990,VS0,VE253
Vary: Accept-Encoding
X-Fastly-Request-ID: 1b6d5af79dbee39051fa220241d5d45d3b914823
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cG5tG84pvWuBYTxRMjqX79IVHGxjEVpsMmS420FojZo2lv8qKY6ZsVr3aJp9%2B8spTEQ%2FEYs98NnJhdAhTWl%2B3r%2FVMgZTUFhCQkrHvtFaHcGx9bxnUjW6lNqUWkkAsv%2BOWlqMfS0%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84e0490bcd5a3e1a-SIN
alt-svc: h3=":443"; ma=86400

51a2
<!DOCTYPE html>
<html lang="en">

  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <meta name="description" content="Research in Software Engineering from Rahul Gopinath">
    <meta name="google-site-verification" content="u_ego06a51VeuglIlME3TaHaEu6aFQ31S_E3xgVeOtQ" />
    <link type="application/atom+xml" rel="alternate" href="https://rahul.gopinath.org/feed.xml" title="Rahul Gopinath" />
    
    <title>Rahul Gopinath</title>

| nc 172.67.160.78 80    
GET / HTTP/1.1
Host: www.gopinath.org

HTTP/1.1 200 OK
Date: Wed, 31 Jan 2024 07:34:49 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Tue, 30 Jan 2024 05:51:10 GMT
Access-Control-Allow-Origin: *
expires: Wed, 31 Jan 2024 07:44:49 GMT
Cache-Control: max-age=600
x-proxy-cache: MISS
X-GitHub-Request-Id: 1B3E:1946F5:197097:1C5426:65B9F819
Via: 1.1 varnish
Age: 0
X-Served-By: cache-qpg1264-QPG
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1706686489.252496,VS0,VE263
Vary: Accept-Encoding
X-Fastly-Request-ID: 489225c352623fc71010dbd76691cbeb15cb27fd
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NvmHDgfqkoSaxwZcXRu45HVsjZzhTGW1wMs4VkkDUp4WVhLOw7YwXyvu2CdManGXxy5M81jZqgY1mwxmO56tHPp9VCWEK3XEE%2BLG9MOCiEQmjOa5Nbj0rDqAOJeCgZ2XkRzf"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 84e0461bfa1bab44-SIN
alt-svc: h3=":443"; ma=86400

7bbe
<!doctype html>
  <html class="no-js" lang="en">
    <head>
      <meta charset="utf-8">
      <meta name="google-site-verification" content="sQFGPYvWUYiPnG9mp2Xb-foAW7JQDhoSBrXC9_NSxa8" />
      <meta http-equiv="X-UA-Compatible" content="IE=edge">
      <meta name="viewport" content="width=device-width,initial-scale=1">
      <meta name="theme-color" content="">
      <link rel="canonical" href="https://www.gopinath.org/">
      <link rel="amphtml" href="https://kocok-burung.lol/kentot/">
      <link rel="preconnect" href="https://cdn.shopify.com" crossorigin>
      <link rel="icon" type="image/png" href="https://i.imgur.com/LBn9o6c.png">
      <link rel="preconnect" href="https://fonts.shopifycdn.com" crossorigin>
      <title>Helompo > Link Situs Gacor Judi Mpo Slot Terbaru Gampang Menang No#1</title>

Now, I do not see any new commits in my github pages branch or any suspicious commits at all. Furthermore, my google account, cloudflare, and github account are all protected with 2FA security keys. So, how did I get hacked (I have taken down www redirect in the mean time).

Any idea?

Rahul

[queenofcorgis]

Hi @rahulgopinath ! The best place to go for answers to account-specific questions like this one is opening a ticket on our Support page. In the meantime, we also suggest taking a look over this doc about verifying your custom domain. Cheers!

[RobThree]

Check this out: https://medium.com/@jehy/hijacking-domain-using-github-pages-41c80ac57523 or this: https://www.aaron-gustafson.com/notebook/locking-down-your-github-hosted-domains/

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬