Apache Friends Web Page Hijacked by Hackers?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Apache Friends Web Page Hijacked by Hackers?

Postby haleba » 12. November 2017 01:09

I received a mysterious, urgently worded text message 11/3/2017:

*********BEGIN MSG

JP.CHASE. Update ID#Cje03fa# Security update requested!
Review your account: www.chaseofficesa.gq [SLASH] cJTO [SLASH] wTSICMu.mob

*********END MSG

I replaced the forward slashes in the message text with [SLASH] to prevent click-throughs, even though this URL scans as clean on VirusTotal.

I entered the base web address www.chaseofficesa.gq which redirected to

http://www.chaseofficesa.gq/dashboard/

a "Welcome to XAMPP" web page nearly identical to a (apparently) legitimate page

http://robot.iecs.fcu.edu.tw/dashboard/

for Feng Chia University in Taiwan

except the links at the top of the chaseofficesa page ("Applications", "FAQs", etc.) are dead links that lead to DNS lookup error pages.

In fact, ALL attempts to look up chaseofficesa.gq led nowhere until I looked up "ccTLD" {"country code top-level domain") on Wikipedia and saw that the Equatorial Guinea top-level domain can be used freely. I looked into free domain services and used Freenom's WHOIS Lookup

http://whois.freenom.com/cgi-bin/whois

to learn that

"CHASEOFFICESA.GQ

"Your selected domain name is a domain name that has been cancelled, suspended, refused or reserved at the Registry. It may be available for re-registration at http://www.freenom.com.

"In the interim, the rights for this domain have been automatically transferred to:

Freedom Registry, Inc.
2225 East Bayshore Road #290
Palo Alto CA 94303
United States
Phone: +1 650-681-4172
Fax: +1 650-681-4173
E-mail: abuse: abuse@freenom.com, copyright infringement: copyright@freenom.com"

Finally I used tracert in Administrative Command Prompt that gave the IP address for chaseofficesa.gq as 198.105.254.104.

The WHOIS lookup for 198.105.254.104 led to Search Guide Inc, *another* shell according to a DSLReports forum post

http://www.dslreports.com/forum/r28918321-What-are-your-DNS-Servers

"For those of you wondering who's actually getting your data:
WOW sends all the hijacking data to "Search Guide Inc." Some of the traffic goes to Highwinds, but Highwinds is just providing a CDN. 'Search Guide Inc' doesn't exist on the internet - they have a domain but no website whatsoever."

So I give up. How and why a questionable text message led to Apache Friends is a question that is consuming too much of my personal time, so all I can do is report this here and cc Freenom.
haleba
 
Posts: 1
Joined: 11. November 2017 23:03
XAMPP version: 5.6.31
Operating System: Windows 8.0

Return to XAMPP for Windows

Who is online

Users browsing this forum: gsmith and 28 guests