HELP! Unidentified person added as owner

JJL
Excursionist
33 0 25

I received this email from Google this morning:

New owner for https://ftp.(my domain name)
To owner of (my domain name),
Google has identified that (an email address) has been added as an owner of https://ftp.(my domain name)
Property owners can change critical settings that affect how Google Search interacts with your site. Ensure that only appropriate people have owner status, and that this role is revoked when it is no longer needed.
 
The domain name is the same as mine but with ftp. in front of it. I've checked in Google Search Console and this person has not been added as an owner on my domain name. When I go to the https://ftp.(my domain name) it takes me to a shop with one item on it (possibly a shopify store).
 
I know this not strictly a Shopify topic but I'm hoping someone might be able to help. Is this something I need to worry about. Is there anything I should do? Does ftp. in front of a domain name mean anything?
 
Thanks,
Jason.
Replies 17 (17)
JJL
Excursionist
33 0 25

Thank you Ryan, I've done that.

Does anyone know what the ftp. prefix is? Do  I own that? Should I be worried that I am being hacked?

JJL
Excursionist
33 0 25

Yes, I still have access. How do I remove them?

JJL
Excursionist
33 0 25

Thank you for all your help so far, Ryan.

I have just found the rogue owner of the ftp. address in google console. I have removed them but it says that they can just add themselves back again unless I remove a html tag from my homepage. Do you have any idea of how I would find this? How did they gain access in the first place?

JJL
Excursionist
33 0 25

I am the owner of the store and there are no staff members. I've checked in Shopify admin and no one else has been added. I've had no emails from Shopify to say that I've had a log in from an unknown device.

I do not have a Partner Dashboard account.

The only thing I've had is the email from Google Search Console saying that an email address (which is unknown to me) has added themselves as an owner of the domain name ftp.(my domain name).

I don't appear to have been hacked but a shopify store does exist at ftp.(my domain name), which I have reported to shopify.

Thanks.

JJL
Excursionist
33 0 25

Yes, I did get an email from google with the No.2 I do not recognize. I went to search console and there is no record of any other user/owner being added.

The problem is that it is not my domain name, it is my domain name with ftp. in front of it. Google seems to think that it is a problem. I'm still not completely sure what the ftp. means!! Do I own the ftp. prefix domain name?

realityfade
Visitor
2 0 1

Any luck with this? I just woke up to the same problem. No owners except me in the list yet I got 2 of these emails. 

 

''New owner for https / mail dot mydomainname dot com / password

To owner of mydomainname,

Google has identified that xxx has been added as an owner of https / mail dot mydomainname dot com / password

Property owners can change critical settings that affect how Google Search interacts with your site. Ensure that only appropriate people have owner status, and that this role is revoked when it is no longer needed.''

JJL
Excursionist
33 0 25

Sorry this is happening to you too.

 

When you go into Google Search Console, is that subdomain listed or is it only your root domain that you can see? If it's not listed then click on 'ADD PROPERTY' and add the exact subdomain. Once you have done this you will be able to choose that subdomain, click on SETTINGS and then click USERS & PERMISSIONS, you will then see the offending 'owner' and be able to remove them (as the owner of the root domain you have control).

 

This will leave a 'LEFTOVER OWNERSHIP TOKEN' which you can only delete if you have access to the code on their store, which of course, you do not. So they could potentially add themselves back as an owner.

 

If you are not using the subdomain then go into the DNS settings where your domain is registered (mine is Godaddy), find the CNAME file associated with the subdomain and delete it. This will take their store down. If you're not sure what effect this will have on your own sites then make a note of the details so that can add it back in again if you need to. I'm guessing you're not using it and that's why it's been hijacked.

 

I've spoken to a few different people on other forums who have experienced the same thing. Is yours going to an Indonesian gambling site too?

 

I'm wondering if Shopify is allowing people free trials using any subdomain without checking authorisation. Make sure you contact Shopify about this so that they are fully aware of the problems they are causing.

 

All the best.

 

 

realityfade
Visitor
2 0 1

Thank you just did all that hope it helps. Cheers!

Jsonting
Tourist
3 0 0

This just happened to me too! And yes it's going into a gambling site called Serba88. 

How did they add themselves into my domain without my consent? Apparently they did it via HTML Tag, and now i can't remove their ownership! 
This is really frustrating and Shopify said it's not their problem but GoDaddy..

JJL
Excursionist
33 0 25

I've been talking to people on the Shopify forum and on the Google Search Central Community and there are lots of us having the same problem. It seems to be with people using Godaddy and Shopify and it's when you have an unused DNS file in Godaddy (such as ftp.), malicious users can then create a subdomain of your domain name with this file.

 

I don't think it's a Godaddy problem, I do not think my Godaddy account was compromised in any way. The problem seems to be that Shopify are allowing malicious users to set up stores using subdomains without any authorisation from the root domain holder.

 

Have you deleted the DNS file from Godaddy? This will remove the page that the subdomain is pointing to.

 

 

sthr
Shopify Partner
1 0 0

Hi, I'm following your trail from GSC Community.

It happened to me as well, based on your info and my own rough research it seems they're exploiting unused sub domain & shopify store? I still don't know how they gained access and shopify support isn't helpful at all.

 

Thanks for bringing this up!

Liquid

Erick_C
Tourist
10 0 3

I got this today too. I initially did not see new users or owners, but then tried adding that EXACT ftp url in the Google Search Console (e.g. https:// ftp. my-web-site. com).

 

It then revealed the owners and files that had permission. I revoked the access. I have no idea how this happened.

 

The first email was a gmail account and the next said iam.gserviceaccount

JJL
Excursionist
33 0 25

Sorry to hear this happened to you too. Out of interest, where did they point your hijacked subdomains to, was it an Indonesian gambling site too? I have a theory that they are hijacking subdomains so that their IP address is showing as not in Indonesia, as gambling is illegal there.

Erick_C
Tourist
10 0 3

Seems to be slots

favicon =
faviconV2.jpg

 

amp.JPG

 

index.JPG

  

Antoes
Visitor
1 0 0

This same issue happened to us over the weekend. There were no CNAME or A records so we ended up logging into our domain registrar and forwarding ftp.oursite.com to our main site. Any official update form the Shopify team?

 

JJL
Excursionist
33 0 25

I haven't had any more updates from Shopify. I had a ticket open and was in conversation with one of their team about it; their last reply to me said that they were forwarding the matter to the relevant teams and that they were unable to interfere with Shopify accounts. When I tried to reply I found that they had closed the ticket! Have you contacted Shopify? It's good if more people contact them about it so they know how prolific this is. 

TR_Page
Shopify Expert
11 1 3

Had this happen with a merchant recently as well. Not surprising, but was GoDaddy - which seems to be a common link here.

 

Would recommend you update all passwords for access to GoDaddy and make sure you've got multi-factor authentication setup as well. Don't use SMS/text as option whenever possible and use an authentication app instead (1Password is great for paid tool, Bitwarden good free open source alternative for password managers).

 

For other folks facing this problem, you'll have records within GoDaddy that you need to remove the DNS record that allows for a subdomain on "ftp" or any other subdomain you don't necessarily own. Before that, in order to gain access to your search console and remove other members you can add a TXT record to verify your ownership and then remove the bad actors. They won't be able to do HTML verification after you verify with DNS, remove, and then delete the subdomain record.

 

I'm working with a merchant who had this happen where Shopify does not have access/ability to create records and we've done all authentication manually (recommended because it works better anyways). This seems to be an issue with GoDaddy, not Shopify.

 

On the positive, Google views subdomains as separate entities so it's not likely that your primary URL property has been damaged but this is something you want to manage as quickly as possible.

 

If you don't have your primary property set up as a Domain property, would recommend that as well because you'll receive emails then whenever a new URL-prefix property is created.