The Story of an Expired WHOIS Server

We write quite often about SEO spam injections on compromised websites, but this is the first time we have seen this blackhat tactic spreading into the WHOIS results for a domain name.

If you are not familiar with “WHOIS“, it is a protocol used to check who owns a specific domain name. These simple text records are publicly available and usually contain contact details for the website owner, i.e. their name, address, and phone number (unless the website owner purchased a WHOIS protection service).

Anatomy of a WHOIS Hack

A customer of ours was concerned about recent changes to their WHOIS records and email notifications containing spam content. We investigated further and discovered that attackers had taken advantage of domain expiration by purchasing a previously legitimate WHOIS server. They managed to insert arbitrary ads into the old South African WHOIS server records.

South Africa uses the country code for its official top-level domain. When we looked up where the official WHOIS server was for the client, we got a response like this:

dig +noall +answer
; <<>> DiG 9.8.3-P1 <<>> +noall +answer
;; global options: +cmd 537   IN   CNAME   7138 IN   A      

Everything looks fine so far – coza[.] is the official registrar for all domains. Nothing appears to be wrong here.

However, the WHOIS record change notifications also contained information about what was changed.

Spam Content in WHOIS Records

Each notification email showed a new set of spam links in the WHOIS changelog. These alerts gave us the information we needed to dig deeper.

The emails he received looked something like this:

< [3]Your Lucky Day: Become A Millionaire!
<        Spin The Lucky Slots 80 Free Spins! Jackpot is over USD
<        $9,909,349.05
<        [4]hxxp://www.facebook .com/myVegas

> [3]You are a Winner!
>        One of Your Prizes: iPad mini SmartTV 65″. Participation Required
>        [4]hxxp://helpfulhint .net/Free_iPad
<        [6]hxxp://www.survey-prizes .com/

[6]hxxp:// .com/survey-prizes
<        [8]hxxp:// .com/survey-prizes
<      *
<    1.




OcLIYZRmzP475….. (truncated)

This was clearly spam, but there was a small clue at the end of the message. Why would queries go to instead of

Querying the WHOIS Server

I went in Terminal and ran this query to find out:

whois: nodename nor servname provided, or not known

Seeing this tipped me off that there is definitely something going on with this domain name.

In order to find the root cause of these issues, I installed Brew and used it to download an updated version of WHOIS. I was able to install WHOIS version 5.2.12 and simply ran the same command, but this time I had a different outcome (client information has been redacted).

    Domain Name:
       Email: [redacted]
       Tel: [redacted]
       Fax: None
    Registrant's Address:
       Internet Solutions
    Relevant Dates:
       Registration Date: 1997-07-04
       Renewal Date:      2016-07-04
    Domain Status:
       Registered until renewal date
    Pending Timer Events:
    Name Servers: [ redacted IP ] [ redacted IP ] [ redacted IP ]
    WHOIS lookup made at 2016-05-08 04:55 UTC
The use of this Whois facility is subject to the following terms and
Copyright (c) ZACR 1995-2016

Bingo, a correct result!

Still, this didn’t tell me what the issue was exactly.

Browsing The Registry Website

I opened my browser and visited the site for the WHOIS server:


… I was immediately redirected to – which is fine. It’s a legitimate website.

However when I went to:


… this time, I was redirected elsewhere, and a bunch of ads started popping up on my browser. GOTCHA!

This tells me something is wrong with the domain – and naturally, I needed to find out! I kept on checking using dig and found the following DNS records:            560   IN    A        573   IN    A

The bare domain and the www subdomain are pointed to different servers. You get a clean version when you simply use hxxp://whois[.] and a spam-filled one if you use hxxp://www.whois[.]

When I simply ran another WHOIS query, this time I specifically told the WHOIS command which server to use:

$ whois -h
    Domain Name:
       HR Staffing
       Tel: +1.7274786000
       Fax: +1.7274786001
    Registrant's Address:
       7335 US Highway N
       New Port Richey
       HR Staffing
    Relevant Dates:
       Registration Date: 2016-04-22
       Renewal Date:      2017-04-22
    Domain Status:
       serverDeleteProhibited, serverTransferProhibited, serverUpdateProhibited
    Pending Timer Events:
    Name Servers:
    WHOIS lookup made at 2016-05-06 15:34 UTC

There you go! Someone got a hold of the domain and renewed it on April 22nd. Our client started seeing ads in their notification emails ever since.

I tried to replicate the issue using a virtual machine and ran the WHOIS command there:

[me@vm-centos6 ~]$ whois

The script code renders an HTML page with – yes, you guessed it – lots of ads.

Outdated WHOIS Version

Here is the tricky part. The issue does not happen to everyone.

It only happens with the versions of WHOIS older than 5.0.19.

My colleague, Joao, found the GitHub changelog for the WHOIS package of Debian which offers reasons why there is such a difference in these versions of WHOIS.

Expired WHOIS Servers

Essentially, the whois[.] domain was removed in version 4.7.33 back in 2009 because the domain was being taken down. This necessitated changes to the ccTLD domains that affected WHOIS lookups.

Reading more about this on the IANA website revealed changes submitted in 2005 that affected the domains and the WHOIS servers. As a consequence of these changes, whois[.] was removed from the official list of WHOIS servers for domains – and was its replacement.

An attacker capitalized on this after the domain expired by purchasing it and using it to serve advertisements instead of valid WHOIS information.

This means that all UNIX systems using a WHOIS version older than 5.0.19 will still see the deprecated (and now malicious) WHOIS server when querying domains.

I reported this to the South African registrar, but unfortunately, I haven’t received a reply from them.

It’s important to keep an eye on your WHOIS records to ensure hackers don’t make unauthorized changes or compromise your WHOIS server. Our WHOIS monitoring service will notify you so you can verify the changes are legitimate or address any unauthorized changes.

You May Also Like