Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: How do you stop someone from promoting a fake GitHub?
22 points by etewiah on Nov 1, 2021 | hide | past | favorite | 9 comments
Just came across a copy of github hosted on an entirely different domain:

https://github.innominds.com/etewiah/quasar-property-web-builder

The disturbing thing is that it came up higher in the search results for my google search. How can this be stopped???



An abuse complaint to their web host or domain registrar would be the first place to start. infosniper.net is one place to start, any random Whois provider will turn up their registrar.


Thanks, will give that a go. There must be some way to alert google too right? It is pretty bad that they serve it up as a legitimate search result. You would expect the real github to be recognized and any other duplicate flagged automatically as fake.


> You would expect

Google is not the arbiter of truth.

They've just convinced a bunch of people they were briefly.


If you manage to get something done, please be so kind and let us know here. Good luck!


It doesn’t look like a “fake” GitHub as it has every page I looked for on GitHub. I’d wager that they have set up a dns so that their team can push to a Github subdomain for some reason. Unless they are mirroring absolutely every public GitHub page.

To odd thing is, if that’s the case why is GitHub returning pages on a non-GitHub domain at all?


They're at least proxying, as the IP is not Github's.

So there's a hosting aspect here, which is a major security and authenticity concern and I would associate with the word "fake".


Anti-malware don't like that IP. There is probably something more going on than just posing as github. VirusTotal [1] also has a couple findings. You could try calling their ISP's customer service in the off chance they may do something with it. That network also shows up in the firehol [2] blocklists so they may cycle their IP within that network to evade some anti-malware. I would wager they have many domains and IP addresses to choose from.

  grep -c "^115.111.91" 2>/dev/null *set | grep -E -v ":0$"

  cruzit_web_attacks.ipset:1
  firehol_level4.netset:1
  iblocklist_cruzit_web_attacks.netset:1
  nullsecure.ipset:1
whois:

  organisation:   ORG-TCL6-AP
  org-name:       Tata Communications Limited
  country:        IN
  address:        Customer Service & Operations
  address:        Plot Nos. C-21 & C-36
  address:        'G' Block, Bandra Kurla Complex,
  phone:          +91-22-66502826
  fax-no:         +91-22-66502039
  e-mail:         ip-addr@tatacommunications.com
  mnt-ref:        APNIC-HM
  last-modified:  2017-08-14T01:05:24Z
  source:         APNIC
[1] - https://www.virustotal.com/gui/url/bba0280c47f58e96f1ff15af7...

[2] - https://github.com/firehol/blocklist-ipsets.git


Reminds me of http://github.55860.com/ from a few weeks or months ago. I still don't know if that was setup to steal passwords from a fake login form, or for a Chinese company to access GitHub from behind the Great Firewall.


Perhaps the domain was created by CoPilot! All is well, we are just moving to the next level of software development!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: