HACKER Q&A
📣 etewiah

How do you stop someone from promoting a fake GitHub?


Just came across a copy of github hosted on an entirely different domain:

https://github.innominds.com/etewiah/quasar-property-web-builder

The disturbing thing is that it came up higher in the search results for my google search. How can this be stopped???

  👤 dfcowell Accepted Answer ✓
An abuse complaint to their web host or domain registrar would be the first place to start. infosniper.net is one place to start, any random Whois provider will turn up their registrar.
👤 legostormtroopr
It doesn’t look like a “fake” GitHub as it has every page I looked for on GitHub. I’d wager that they have set up a dns so that their team can push to a Github subdomain for some reason. Unless they are mirroring absolutely every public GitHub page.

To odd thing is, if that’s the case why is GitHub returning pages on a non-GitHub domain at all?

👤 LinuxBender
Anti-malware don't like that IP. There is probably something more going on than just posing as github. VirusTotal [1] also has a couple findings. You could try calling their ISP's customer service in the off chance they may do something with it. That network also shows up in the firehol [2] blocklists so they may cycle their IP within that network to evade some anti-malware. I would wager they have many domains and IP addresses to choose from.

  grep -c "^115.111.91" 2>/dev/null *set | grep -E -v ":0$"

  cruzit_web_attacks.ipset:1
  firehol_level4.netset:1
  iblocklist_cruzit_web_attacks.netset:1
  nullsecure.ipset:1
whois:

  organisation:   ORG-TCL6-AP
  org-name:       Tata Communications Limited
  country:        IN
  address:        Customer Service & Operations
  address:        Plot Nos. C-21 & C-36
  address:        'G' Block, Bandra Kurla Complex,
  phone:          +91-22-66502826
  fax-no:         +91-22-66502039
  e-mail:         ip-addr@tatacommunications.com
  mnt-ref:        APNIC-HM
  last-modified:  2017-08-14T01:05:24Z
  source:         APNIC
[1] - https://www.virustotal.com/gui/url/bba0280c47f58e96f1ff15af7...

[2] - https://github.com/firehol/blocklist-ipsets.git

👤 nyanpasu64
Reminds me of http://github.55860.com/ from a few weeks or months ago. I still don't know if that was setup to steal passwords from a fake login form, or for a Chinese company to access GitHub from behind the Great Firewall.
👤 flala
Perhaps the domain was created by CoPilot! All is well, we are just moving to the next level of software development!