Here’s something ugly, the whois response for pirate book site readanybooks.net. Below is an extract of the interesting parts that both MacOS and Debian’s whois display.
$ whois readanybooks.net Domain Name: READANYBOOKS.NET Registrar: XIN NET TECHNOLOGY CORPORATION Whois Server: whois.paycenter.com.cn Name Server: RICK.NS.CLOUDFLARE.COM Billing Contact: Name : li xiaoing Email : firstname.lastname@example.org <script src= "http://img2.xinnet.com/d/js/acmsd/thea178.js"> </script>
Huh? What’s an HTML tag doing in this whois response? And under what circumstances might that script tag be executed? I can imagine a naïve Web interface just injecting that script wholesale into my browser. Every way I load the referenced script it seems benign (right now), but that’s an attack vector waiting to happen.