GoFuckYourself.com - Adult Webmaster Forum - View Single Post

k0nr4d · 09-12-2017, 08:50 AM

The topic of website cloning has been coming up lately. I've figured out how people are doing it. This is in regards to the complete clone domains, not sites that have your site mirrored in a directory somewhere. There might be more ways to do this, this is what i've encountered though.

There are two variants, first via cloudflare:
1) Your website is added by someone to cloudflare, presumably as a cname - or possibly cnaming a domain that's not on cloudflare that has your domain as a cname.
2) They add the "Add Content" or Add HTML" App within cloudflare, which allows them to append content to your html on all pages.
3) There is another app somewhere in cloudflare that lets you replace words. So in this case, they were replacing clientsdomain.com with clonedomain.com. This really did my head in - $_SERVER['HTTP_HOST'] was returning clonedomain.com. In reality, the script was returning clientsdomain.com and replacing the word "clientsdomain.com" with "clonedomain.com". Literally, you could "clientsdomain.com into a text file, request it via the other domain and it outputted as "clonedomain.com"
4) The replacing of the domain I cannot figure out yet. I don't know how this is done, I can't find any cloudflare app that lets me do this but I suspect it's maybe done using JS somehow in that Add HTML App.

the second method is via nginx/varnish and THEN cloudflare in which case they do the find/replace and content adding via their server and then pass it along to cloudflare. In this case it may be possible to honeypot the proxy server by placing a new file, hitting it via the proxy domain and seeing what ip comes up in your server logs.

The only way I can think of bypassing this, is by doing javascript like this:

Code:

<script>
if(window.location.href.indexOf("yourd"+"omain.com") < 0) {
       window.location("http://yourd"+"omain.com"); 
}
</script>

or by completely shit-listing the cloudflare IPs on your server (in which case you won't be able to use cloudflare yourself):
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/12
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
173.245.48.0/20
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17

Hope this helps someone

09-12-2017, 08:50 AM
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,179	Website cloning via proxy The topic of website cloning has been coming up lately. I've figured out how people are doing it. This is in regards to the complete clone domains, not sites that have your site mirrored in a directory somewhere. There might be more ways to do this, this is what i've encountered though. There are two variants, first via cloudflare: 1) Your website is added by someone to cloudflare, presumably as a cname - or possibly cnaming a domain that's not on cloudflare that has your domain as a cname. 2) They add the "Add Content" or Add HTML" App within cloudflare, which allows them to append content to your html on all pages. 3) There is another app somewhere in cloudflare that lets you replace words. So in this case, they were replacing clientsdomain.com with clonedomain.com. This really did my head in - $_SERVER['HTTP_HOST'] was returning clonedomain.com. In reality, the script was returning clientsdomain.com and replacing the word "clientsdomain.com" with "clonedomain.com". Literally, you could "clientsdomain.com into a text file, request it via the other domain and it outputted as "clonedomain.com" 4) The replacing of the domain I cannot figure out yet. I don't know how this is done, I can't find any cloudflare app that lets me do this but I suspect it's maybe done using JS somehow in that Add HTML App. the second method is via nginx/varnish and THEN cloudflare in which case they do the find/replace and content adding via their server and then pass it along to cloudflare. In this case it may be possible to honeypot the proxy server by placing a new file, hitting it via the proxy domain and seeing what ip comes up in your server logs. The only way I can think of bypassing this, is by doing javascript like this: Code: <script> if(window.location.href.indexOf("yourd"+"omain.com") < 0) { window.location("http://yourd"+"omain.com"); } </script> or by completely shit-listing the cloudflare IPs on your server (in which case you won't be able to use cloudflare yourself): 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 Hope this helps someone __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development