Ask coding questions

← Back to all posts
repl's Being Abused for Phishing
RavinduL (15)

I received the following link over Facebook, which leads to a phishing page that resembles Facebook.

IMHO, badly needs a feature to report these!

Peeking at the code,

  • They've banned a bunch of IPs from that page, redirecting them to as song "Hawái" by "Maluma"...

    var bannedips = ["", "", "", "", "", "", "", "", "", ""]
    var ip = '<!--#echo var="REMOTE_ADDR"-->'
    var handleips=bannedips.join("|")
    handleips=new RegExp(handleips, "i")
    if (!=-1){ 
    alert("Your IP has been banned from this site. Redirecting...")
    } idea why. They seem to belong to a bunch of US ISPs.

  • The page loads a script from
  • When you click "log in", it POSTs the values of the form along with a bunch of geographical data retrieved via GeoJS, to
  • They also grab an image from which looks like a website traffic analytics tool.

Report them: and [email protected].

Answered by SixBeeps (5221) [earned 5 cycles]
View Answer
SixBeeps (5221)

Looks like the user has a few different Repls for this:

Honestly I'd contact directly for this rn. I've heard that a Report User functionality is in the works, so problems like these can be more easily resolved.

RavinduL (15)

@SixBeeps nice find! Out of curiosity, how did you map the repl to the user? 😅

SixBeeps (5221)

@RavinduL The format for sites are In the link you gave, colorfullightcyantask is the name of the Repl, dd315b4f10v is the user.

JosephSanthosh (1182)

There should be a way to track down the IP Address of this user. @SixBeeps

PieroMaddaleni (1)

@SixBeeps Generally to ban such users from accessing our platform and to see if they have any other accounts from said address. Also, I've passed this on to the rest of the team, so within an hour or two something should happen.

SixBeeps (5221)

@PieroMaddaleni Yeah, but they could very well be using a VPN, which would eliminate the entire purpose of an IP ban.

Battledash2 (80)

Cool they're banned xD

AmazingMech2418 (1085)

Seems like the person is banned...

iocoder (162)

@RavinduL when I go to now it brings me to is this a remake of it too, or is it the real one, cause some users can find a domain that is exactly the same as another

HahaYes (1861)

oh wow thats bad.

PattanAhmed (1404)

Where do you find his Repl?
I mean this guy:-

JosephSanthosh (1182)

That page is somehow so accurate!