Cyber Security Degrees

Expired WHOIS Server

We often cover SEO spam attacks on compromised sites. A blackhat technique is rarely used to hack into a WHOIS result for a domain. This makes it difficult and unusual to reveal.

“WHOIS” is a protocol that is used to verify the owner of a domain name. These records can be accessed by anyone to build trust online. They include the owner’s name and address as well as their phone number. If a website owner wants to protect their personal information, they will need to buy the WHOIS Server Protection service.

WHOIS Server Hack: A Quick Overview

A WHOIS user was upset by recent changes to his records and the spam-laden emails he received. Researchers discovered that hackers had purchased a legitimate WHOIS Server to take advantage of customers’ domain expiration. The hackers then placed unauthorized and arbitrary ads in the newly purchased records of an old South African WHOIS server.

The country code co. za can be used to identify the top-level domain in South Africa. The client’s official WHOIS server (CNAME whois.coza.net.za) was found by a search. Nothing was wrong. The WHOIS server changes contained specific details about what had been changed, and that was where the fun began.

WHOIS Server Displayed Spam Content

The WHOIS Changelog revealed a new set of spam links that were included in all outgoing email notifications. Although all spam emails were identical, there was one clear clue at the end of each mail directing users to another website: “Why would queries go directly to whois.co.za rather than whois.coza.net.za?”

Examining the WHOIS Server

Researchers immediately ran a query to dig deeper on “whois victim-site.co.za whois: za.whois-servers.net:”.

The results showed that the domain name was involved in the problem. The root cause analysis was performed by installing Brew using an updated version of WHOIS 5.2.12. This result showed that the client information had been removed.

These results helped us to narrow down the problem even further!

Scanning the Registry Website

When you visited the WHOIS site – hxxp://whois[. ]co. za, it promptly redirected to the legitimate website, https://www.registry.net.za/whois/ -.

But, when you visited hxxp://www.whois[. It redirected to http://www.whois[.co.za] and many ads began to appear on the screen. Bingo!

This showed that the domain whois.co.za was hacked.

It was found that the DNS records for both subdomains and the domain were set up to use different servers.

The hxxp://whois[.]co. The hxxp://whois[.]co. za displayed a clean version, while the hxxp://www.whois[.]co. za was spam-filled. Spam-filled ]co. za Another WHOIS query was executed and it pointed out the server to use.

It was eventually revealed that a hacker had gained access to the domain whois.co.za, and that he replaced it on April 22nd. Clients began receiving unsolicited advertisements in their notifications emails since then.

Outdated WHOIS Server

This problem is present in versions of WHOIS older than 5.0.19. The whois[. Version 4.7.33 of the whois[. After the domain expired, a hacker bought it to send advertising messages.

However, older WHOIS versions than 5.0.19 may continue to receive such messages when they query co.za domains. South African registrars have been informed about the issue.

Conclusion

To ensure that hackers don’t make any illegal changes to or compromise their WHOIS server, it is important for users to keep track of their WHOIS records. If there are any developments, we will keep you informed.