this post was submitted on 14 Jan 2025
        
      
      43 points (89.1% liked)
      Technology
    76362 readers
  
      
      1334 users here now
      This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
        founded 2 years ago
      
      MODERATORS
      
    you are viewing a single comment's thread
view the rest of the comments
    view the rest of the comments
The .mobi was a previous post where they bought the expired domain which was previously used by the .mobi WHOIS server.
A bunch of systems apparently didn't update their WHOIS database and still tried to get WHOIS information from the old domain.
This could lead to RCE in some implementations if they provided a malicious response.
A bunch of CAs also accessed the old domain and use WHOIS to verify domain ownership. By setting their own email address for verification, they could have issued themselves a certificate for any .mobi domain (microsoft.mobi, google.mobi for examle).
Now to this article, here they looked at a bunch of webshells with backdoors added by the developers. Some of the domains had expired, so by getting those domains and setting up a webserver they got connections from different systems infected by the malware. They could have used the same backdoor previously used by the devs to access those same systems remotely and do whatever.
Thanks mate!