Apache Friends Web Page Hijacked by Hackers?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Apache Friends Web Page Hijacked by Hackers?

Postby haleba » 12. November 2017 01:09

I received a mysterious, urgently worded text message 11/3/2017:

*********BEGIN MSG

JP.CHASE. Update ID#Cje03fa# Security update requested!
Review your account: www.chaseofficesa.gq [SLASH] cJTO [SLASH] wTSICMu.mob

*********END MSG

I replaced the forward slashes in the message text with [SLASH] to prevent click-throughs, even though this URL scans as clean on VirusTotal.

I entered the base web address www.chaseofficesa.gq which redirected to


a "Welcome to XAMPP" web page nearly identical to a (apparently) legitimate page


for Feng Chia University in Taiwan

except the links at the top of the chaseofficesa page ("Applications", "FAQs", etc.) are dead links that lead to DNS lookup error pages.

In fact, ALL attempts to look up chaseofficesa.gq led nowhere until I looked up "ccTLD" {"country code top-level domain") on Wikipedia and saw that the Equatorial Guinea top-level domain can be used freely. I looked into free domain services and used Freenom's WHOIS Lookup


to learn that


"Your selected domain name is a domain name that has been cancelled, suspended, refused or reserved at the Registry. It may be available for re-registration at http://www.freenom.com.

"In the interim, the rights for this domain have been automatically transferred to:

Freedom Registry, Inc.
2225 East Bayshore Road #290
Palo Alto CA 94303
United States
Phone: +1 650-681-4172
Fax: +1 650-681-4173
E-mail: abuse: abuse@freenom.com, copyright infringement: copyright@freenom.com"

Finally I used tracert in Administrative Command Prompt that gave the IP address for chaseofficesa.gq as

The WHOIS lookup for led to Search Guide Inc, *another* shell according to a DSLReports forum post


"For those of you wondering who's actually getting your data:
WOW sends all the hijacking data to "Search Guide Inc." Some of the traffic goes to Highwinds, but Highwinds is just providing a CDN. 'Search Guide Inc' doesn't exist on the internet - they have a domain but no website whatsoever."

So I give up. How and why a questionable text message led to Apache Friends is a question that is consuming too much of my personal time, so all I can do is report this here and cc Freenom.
Posts: 2
Joined: 11. November 2017 23:03
XAMPP version: 5.6.31
Operating System: Windows 8.0

Re: Apache Friends Web Page Hijacked by Hackers?

Postby haleba » 27. November 2017 01:49

A new "XAMPP attack" an hour ago


FACEBOOK Alert ID#WXbY2wMQ# Your account is currently locked! Log in, to fix this issue: www.facebookmuserslo.tk [/] fjEq [/] czmi0.mob


The base URL www.facebookmuserslo.tk once again directing to a XAMPP "dashboard" page


The links at the top of this page are still active and I saved a copy of the PHPInfo page which gives a server IP of

Once again lookups of the domain name lead to Freenom this time via Dot TK

Domain name:

Dot TK administrator
P.O. Box 11774
1001 GT Amsterdam
Phone: +31 20 5315725
Fax: +31 20 5315721
E-mail: abuse: abuse@freenom.com, copyright infringement: copyright@freenom.com

Forwarding to Freenom as before
Posts: 2
Joined: 11. November 2017 23:03
XAMPP version: 5.6.31
Operating System: Windows 8.0

Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 35 guests