Home Website Security The Legend of an Outdated WHOIS Server

The Legend of an Outdated WHOIS Server

SEO spam attacks on compromised websites may be common, as we cover them quite frequently. Yet, shedding light on a blackhat tactic used to infiltrate a WHOIS results for a domain name is complex and unique, as it is not a common occurrence.

“WHOIS” is a protocol which is used to verify who owns a unique domain name. Simply put, these records are available to everyone with the goal of creating trust online through visibility of the website owner’s name, address, and phone number.  Yet if a website owner is interested in safeguarding their personal information, they are required to purchase the WHOIS server protection service.

WHOIS Server Hack – A Quick Outline

Recently, a WHOIS service user got really upset about the changes in his records, as well as email notifications he received that were carrying spam content. Research revealed that hackers had taken advantage of customers’ domain expiration by purchasing a previously legitimate WHOIS server. They then included arbitrary and unauthorized ads in this newly purchased old South African WHOIS server records.

The country code .co.za is used for a top-level domain official in South Africa. A search to locate the official WHOIS server for client (CNAME whois.coza.net.za.) came back with nothing wrong. But, the changes made in the WHOIS server contained details of what was changed and this was where things got really interesting.

WHOIS Server Showed Records of Spam Content

The WHOIS changelog demonstrated a new set of spam links which were included on all out-going email notifications. Even though all the spam emails looked similar, there was a strong clue at the end of each email redirecting users to another site – “Why would queries go to whois.co.za instead of whois.coza.net.za?”

Investigating the WHOIS Server

Researchers immediately ran a query to dig deeper on “whois victim-site.co.za whois: za.whois-servers.net:”.

You guessed it: the results indicated that the domain name had something to do with the issue. So, performing a root cause analysis by installing Brew with an updated version of WHOIS 5.2.12 caused a different result where the client information had been redacted.

The fetched results paved the way to further narrow down on the real problem!

Scanning The Registry Website

On visiting the WHOIS server site – hxxp://whois[.]co.za, it promptly redirected to the legitimate website, https://www.registry.net.za/whois/ –.

However, upon visiting hxxp://www.whois[.]co.za, it redirected to a completely different site and numerous ads started to crowd the screen immediately. Bingo!

This proved that whois.co.za domain – was hacked.

The DNS records were culled out and it showed that the bare domain and subdomain were configured to different servers.

The hxxp://whois[.]co. za showed a clean version while hxxp://www.whois[.]co.za was spam-filled. Another WHOIS query was run and this time it clearly pointed out which server to use.

In the end, it was revealed that some hacker gained access into the domain whois.co.za and replaced it on April 22nd. Since then, clients started receiving unsolicited ads in their notification emails.

Outdated WHOIS Server

The problem occurs with versions of WHOIS older than 5.0.19. In 2009, the whois[.]co.za domain was removed in version 4.7.33. A hacker capitalized by purchasing it after the domain expired to send advertisements.

On the other hand, WHOIS versions older than 5.0.19 will go on to see such messages when querying co.za domains. The issue has been reported to the South African registrar.


It’s important for all users to keep a track on their WHOIS records to stay rest assured that the hackers are not making any illegal changes or compromise to their WHOIS server. We will keep you posted here if there are any further developments with the issue.

Momed Jussubhttps://www.mozdomains.com
Network Engineer (Cisco, Mikrotik, Juniper, Huawei, Ubiquiti, Fortigate, pfSense, Palo Alto), CCTV Engineer, IPTV Engineer, Virtualization Specialist OpenVZ, XEN, KVM and HyperV, Optical Fiber Network Specialist, System Administrator Windows /Linux, PenTester, Full Stack Developer (HTML, CSS3, PHP, C # Desktop App, C # ASP.NET, MySQL, MSSQL) and Writer.
Notify of
Inline Feedbacks
View all comments

Must Read

Intermediary Root CA Certificate Expiration cPanel/WHM – Sectigo

On May 30, 2020 an intermediary CA certificate used by Sectigo expired causing some older versions of OpenSSL unable to validate the...

Five Reasons Why Small Businesses are Prone to Malware Attacks

Often times, most people think that small startups experience less security threats than their big counterparts. Although there’s some truth to it, it’s not...

DDoS Attack On WordPress Search

WordPress is one of the most popular platforms that allows users to create and manage their own websites. Through WordPress aspiring writers, bloggers, and...

How to Detect and Remove Malware from Website?

Hackers inject malware into websites to take advantage of the site’s traffic as a way to distribute potentially unwanted applications into many visitor’s computers...

Online Website Scanner

Online vulnerability scanners perform a vulnerability analysis or vulnerability assessment by describing, detecting, and classifying the security holes existing in websites. This type of...
Would love your thoughts, please comment.x