Apache Friends Support Forum

[haleba]

I received a mysterious, urgently worded text message 11/3/2017:

*********BEGIN MSG

JP.CHASE. Update ID#Cje03fa# Security update requested!
Review your account: www.chaseofficesa.gq [SLASH] cJTO [SLASH] wTSICMu.mob

*********END MSG

I replaced the forward slashes in the message text with [SLASH] to prevent click-throughs, even though this URL scans as clean on VirusTotal.

I entered the base web address www.chaseofficesa.gq which redirected to

http://www.chaseofficesa.gq/dashboard/

a "Welcome to XAMPP" web page nearly identical to a (apparently) legitimate page

http://robot.iecs.fcu.edu.tw/dashboard/

for Feng Chia University in Taiwan

except the links at the top of the chaseofficesa page ("Applications", "FAQs", etc.) are dead links that lead to DNS lookup error pages.

In fact, ALL attempts to look up chaseofficesa.gq led nowhere until I looked up "ccTLD" {"country code top-level domain") on Wikipedia and saw that the Equatorial Guinea top-level domain can be used freely. I looked into free domain services and used Freenom's WHOIS Lookup

http://whois.freenom.com/cgi-bin/whois

to learn that

"CHASEOFFICESA.GQ

"Your selected domain name is a domain name that has been cancelled, suspended, refused or reserved at the Registry. It may be available for re-registration at http://www.freenom.com.

"In the interim, the rights for this domain have been automatically transferred to:

Freedom Registry, Inc.
2225 East Bayshore Road #290
Palo Alto CA 94303
United States
Phone: +1 650-681-4172
Fax: +1 650-681-4173
E-mail: abuse: abuse@freenom.com, copyright infringement: copyright@freenom.com"

Finally I used tracert in Administrative Command Prompt that gave the IP address for chaseofficesa.gq as 198.105.254.104.

The WHOIS lookup for 198.105.254.104 led to Search Guide Inc, *another* shell according to a DSLReports forum post

http://www.dslreports.com/forum/r28918321-What-are-your-DNS-Servers

"For those of you wondering who's actually getting your data:
WOW sends all the hijacking data to "Search Guide Inc." Some of the traffic goes to Highwinds, but Highwinds is just providing a CDN. 'Search Guide Inc' doesn't exist on the internet - they have a domain but no website whatsoever."

So I give up. How and why a questionable text message led to Apache Friends is a question that is consuming too much of my personal time, so all I can do is report this here and cc Freenom.

[haleba]

A new "XAMPP attack" an hour ago

*********************

FACEBOOK Alert ID#WXbY2wMQ# Your account is currently locked! Log in, to fix this issue: www.facebookmuserslo.tk [/] fjEq [/] czmi0.mob

*********************

The base URL www.facebookmuserslo.tk once again directing to a XAMPP "dashboard" page


http://www.facebookmuserslo.tk/dashboard/


The links at the top of this page are still active and I saved a copy of the PHPInfo page which gives a server IP of 195.22.126.159.


Once again lookups of the domain name lead to Freenom this time via Dot TK

Domain name:
FACEBOOKMUSERSLO.TK

Organisation:
BV Dot TK
Dot TK administrator
P.O. Box 11774
1001 GT Amsterdam
Netherlands
Phone: +31 20 5315725
Fax: +31 20 5315721
E-mail: abuse: abuse@freenom.com, copyright infringement: copyright@freenom.com

Forwarding to Freenom as before