Website cloning via proxy

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • k0nr4d
    Confirmed User
    • Aug 2006
    • 9231

    #1

    Tech Website cloning via proxy

    The topic of website cloning has been coming up lately. I've figured out how people are doing it. This is in regards to the complete clone domains, not sites that have your site mirrored in a directory somewhere. There might be more ways to do this, this is what i've encountered though.

    There are two variants, first via cloudflare:
    1) Your website is added by someone to cloudflare, presumably as a cname - or possibly cnaming a domain that's not on cloudflare that has your domain as a cname.
    2) They add the "Add Content" or Add HTML" App within cloudflare, which allows them to append content to your html on all pages.
    3) There is another app somewhere in cloudflare that lets you replace words. So in this case, they were replacing clientsdomain.com with clonedomain.com. This really did my head in - $_SERVER['HTTP_HOST'] was returning clonedomain.com. In reality, the script was returning clientsdomain.com and replacing the word "clientsdomain.com" with "clonedomain.com". Literally, you could "clientsdomain.com into a text file, request it via the other domain and it outputted as "clonedomain.com"
    4) The replacing of the domain I cannot figure out yet. I don't know how this is done, I can't find any cloudflare app that lets me do this but I suspect it's maybe done using JS somehow in that Add HTML App.

    the second method is via nginx/varnish and THEN cloudflare in which case they do the find/replace and content adding via their server and then pass it along to cloudflare. In this case it may be possible to honeypot the proxy server by placing a new file, hitting it via the proxy domain and seeing what ip comes up in your server logs.

    The only way I can think of bypassing this, is by doing javascript like this:

    Code:
    <script>
    if(window.location.href.indexOf("yourd"+"omain.com") < 0) {
           window.location("http://yourd"+"omain.com"); 
    }
    </script>
    or by completely shit-listing the cloudflare IPs on your server (in which case you won't be able to use cloudflare yourself):
    103.21.244.0/22
    103.22.200.0/22
    103.31.4.0/22
    104.16.0.0/12
    108.162.192.0/18
    131.0.72.0/22
    141.101.64.0/18
    162.158.0.0/15
    172.64.0.0/13
    173.245.48.0/20
    188.114.96.0/20
    190.93.240.0/20
    197.234.240.0/22
    198.41.128.0/17

    Hope this helps someone
    Mechanical Bunny Media
    Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development
  • Adraco
    Confirmed User
    • May 2009
    • 3745

    #2
    Very nice explanation and most impressed by your level of knowledge to be able to figure this way out! Thanks for posting this Konrad!
    ----------------------------------------------------------------------------------
    The truth is not affected by the beliefs, or doubts, of the majority.

    Comment

    • sarettah
      see you later, I'm gone
      • Oct 2002
      • 14297

      #3
      Good post K0nr4d, excellent break down of what it is.

      Thanks

      .
      All cookies cleared!

      Comment

      • bns666
        Confirmed Fetishist
        • Mar 2005
        • 11554

        #4
        cool, thanx
        CAM SODASTRIPCHAT
        CHATURBATEX LOVE CAM

        Comment

        • Barry-xlovecam
          It's 42
          • Jun 2010
          • 18083

          #5
          Thats what I was thinking their method was 'like'
          Blocking Cloudflare IPs on servers EXCEPT where specifically needed is a good idea.

          SAMEORIGIN would not help in this scenario.

          Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations.

          Thanks for looking into this Konrad.

          BTW a 302 -301 domain redirection will work -- maybe even a page redirection -- this is working for lifeselector -- planed or not.

          Comment

          • k0nr4d
            Confirmed User
            • Aug 2006
            • 9231

            #6
            Originally posted by Barry-xlovecam
            Thats what I was thinking their method was 'like'
            Blocking Cloudflare IPs on servers EXCEPT where specifically needed is a good idea.

            SAMEORIGIN would not help in this scenario.

            Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations.

            Thanks for looking into this Konrad.

            BTW a 302 -301 domain redirection will work -- maybe even a page redirection -- this is working for lifeselector -- planed or not.
            Redirect won't work because from the proxies end the domain is correct. They are requesting domain1.com and reserving it as domain2.com. Only a redirect via JS like I wrote works, and you have to split the string into two so it doesn't get text-replaced.
            Mechanical Bunny Media
            Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

            Comment

            • sarettah
              see you later, I'm gone
              • Oct 2002
              • 14297

              #7
              Originally posted by k0nr4d
              Redirect won't work because from the proxies end the domain is correct. They are requesting domain1.com and reserving it as domain2.com. Only a redirect via JS like I wrote works, and you have to split the string into two so it doesn't get text-replaced.
              You could probably make the domain base64 encoded instead of just splitting it, or base64 it and split it into multiple parts maybe. The more obfuscation the better.

              .
              All cookies cleared!

              Comment

              • sarettah
                see you later, I'm gone
                • Oct 2002
                • 14297

                #8
                Originally posted by Barry-xlovecam
                Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations.
                Yeah, I would think that cloudflare would probably block something like this if they knew about it.

                .
                All cookies cleared!

                Comment

                • Barry-xlovecam
                  It's 42
                  • Jun 2010
                  • 18083

                  #9
                  Do that lifeselector link on that page and look at the headers. Fluke maybe but it goes to a password protected page

                  The clone renders a blank page for affiliates.lifeselector and the password page is on another subdomain name 'assist'. The wrong CNAME maybe?

                  The problem is scumbags using Cloudlare for bad purposes. If Cloudflare does not clean up their act the USDOJ will eventually. I am not asserting any complicity on Cloudflare's part but if they abandoned their free service and made it a 30 trial with a low cost for small users -- then the scumbags would not use it because payment data is traceable and can be subpoenaed.

                  Comment

                  • k0nr4d
                    Confirmed User
                    • Aug 2006
                    • 9231

                    #10
                    Originally posted by sarettah
                    You could probably make the domain base64 encoded instead of just splitting it, or base64 it and split it into multiple parts maybe. The more obfuscation the better.

                    .
                    Yeah you could go much further with this, and run the whole js through one of those obfuscators to hide it as well, or even randomize it so it's
                    d+omain
                    do+main
                    dom+ain
                    dom+a+in
                    and so forth to prevent someone doing find/replace on the JS itself too.
                    Mechanical Bunny Media
                    Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                    Comment

                    • Barry-xlovecam
                      It's 42
                      • Jun 2010
                      • 18083

                      #11
                      In this case the framing is not malicious notwithstanding the SEO imprecations.
                      so use an obfuscated canonical tag rel=canonical to identify were the REAL site/domain is

                      Every site stealing SERPs I checked for xlovecam was using Cloudflare to obscure their host server. Every 'claimed' free password site or free tokens or credits site/domain was trying to hide behind Cloudflare. If it was to big of a problem, and worth the expense, we could sue the domain owners and subpoena Cloudflare.

                      I have absolutely no problem with servers using Cloudflare for its intended purpose -- mitigating ddos attacks and security filtering.

                      Comment

                      • mikeworks
                        Confirmed User
                        • Apr 2010
                        • 272

                        #12
                        Thanks Konrad for sharing your information.

                        It's probably one of the biggest problems at the moment. I disavow them, but they must obviously still benefit from google and/or harm original site.

                        Comment

                        • k0nr4d
                          Confirmed User
                          • Aug 2006
                          • 9231

                          #13
                          Originally posted by Barry-xlovecam
                          In this case the framing is not malicious notwithstanding the SEO imprecations.
                          so use an obfuscated canonical tag rel=canonical to identify were the REAL site/domain is

                          Every site stealing SERPs I checked for xlovecam was using Cloudflare to obscure their host server. Every 'claimed' free password site or free tokens or credits site/domain was trying to hide behind Cloudflare. If it was to big of a problem, and worth the expense, we could sue the domain owners and subpoena Cloudflare.

                          I have absolutely no problem with servers using Cloudflare for its intended purpose -- mitigating ddos attacks and security filtering.
                          How exactly does an obfuscated canonicle tag look like? I've never seen or heard of that
                          Mechanical Bunny Media
                          Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                          Comment

                          • Barry-xlovecam
                            It's 42
                            • Jun 2010
                            • 18083

                            #14
                            Pretty much everyone agrees now that search engines CAN read JavaScript.

                            Code:
                            <script language="javascript">
                            <!--
                            // == Begin Free HTML Source Code Obfuscation Protection from http://snapbuilder.com == //
                            document.write(unescape('%3C%6C%69%6E%6B%20%72%65%6C%3D%22%63%61%6E%6F%6E%69%63%61%6C%22%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%65%78%61%6D%70%6C%65%2E%63%6F%6D%2F%77%6F%72%64%70%72%65%73%73%2F%73%65%6F%2D%70%6C%75%67%69%6E%2F%22%3E'));
                            //-->
                            </script>
                            Assuming you are right that text substitution is being used -- how are you going to read and substitute this? If you are a secret-agent you could grep and decode somehow i suppose -- what does this say -- just run the code in phantomjs. That is the way i might scrape the page. if you broke the JS code with + maybe it might fool the substitution but if you really want to get down to it

                            echo or cat (<input>)|sed 's/\n//g' then ....

                            Code:
                            echo '<script>if(window.location.href.indexOf("yourd"+"omain.com") < 0) {       window.location("http://yourd"+"omain.com"); }</script>'
                            |egrep  -o ".{0,20}\(window\.location\.href.{0,20}"
                            |sed 's/window/you are fucked now/g'
                            [COLOR="Yellow"]<script>if(you are fucked now.location.href.indexOf("yourd"+"om[/COLOR]
                            fuckup the frame breaker JS

                            Sure as fuck won't hurt to try rel=canonical .

                            Comment

                            • Bladewire
                              StraightBro
                              • Aug 2003
                              • 56228

                              #15
                              Excellent info thanks!


                              Skype: CallTomNow

                              Comment

                              • Smut-Talk
                                I talk smut
                                • Jul 2016
                                • 176

                                #16
                                Nice info for sure...


                                On the defensive of your site:

                                You can do a lot with htaccess.
                                FI: I use htaccess to stop hotlinking, put a redirect to a goatsie in it...

                                Barry, as promised on icq:

                                to "help" with scriptkiddies with scanning, i came across this:

                                !you can ZIP bomb a vuln scanner!

                                ZIP compression is really good with repetitive data so if you have a really huge text file which consists of repetitive data like all zeroes, it will compress it really good.
                                It can compress a 4.5 peta byte (4.500.000 giga bytes) file down to 42 kilo bytes.

                                When a browser/scanner extracts or decompresses the content it will most likely run out of disk space or RAM.

                                So firstly create a 10 giga byte GZIP file, or bigger, filled with zeroes.
                                And secondly a PHP script that will deliver it to a client.

                                Code:
                                <?php
                                $agent = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT');
                                
                                //check for nikto, sql map or "bad" subfolders which only exist on wordpress
                                if (strpos($agent, 'nikto') !== false || strpos($agent, 'sqlmap') !== false || startswith($url,'wp-') || startswith($url,'wordpress') || startswith($url,'wp/'))
                                {
                                      sendBomb();
                                      exit();
                                }
                                
                                function sendBomb(){
                                        //prepare the client to recieve GZIP data. This will not be suspicious
                                        //since most web servers use GZIP by default
                                        header("Content-Encoding: gzip");
                                        header("Content-Length: ".filesize('10G.gzip'));
                                        //Turn off output buffering
                                        if (ob_get_level()) ob_end_clean();
                                        //send the gzipped file to the client
                                        readfile('10G.gzip');
                                }
                                
                                function startsWith($a, $b) { 
                                    return strpos($a, $b) === 0;
                                }
                                source: https://blog.haschek.at/post/f2fda
                                This is my awesome signature!
                                if you really have to, you can use: smuttalk-that apple thingy-websmut.com
                                Don't forget to mention GFY in the subject!

                                Comment

                                • Barry-xlovecam
                                  It's 42
                                  • Jun 2010
                                  • 18083

                                  #17
                                  Code:
                                  root@ds12-ams-2gb:~# whois odir.us
                                  Domain Name:                                 ODIR.US
                                  Domain ID:                                   D29663821-US
                                  Sponsoring Registrar:                        UNITED-DOMAINS AG
                                  Sponsoring Registrar IANA ID:                1408
                                  Registrar URL (registration services):       www.united-domains.de
                                  Domain Status:                               clientTransferProhibited
                                  Registrant ID:                               C-SM7006B-QVRDOB
                                  Registrant Name:                             Stefan Mayr
                                  Registrant Address1:                         Mondscheingasse 6
                                  Registrant City:                             Graz
                                  Registrant Postal Code:                      8010
                                  Registrant Country:                          Austria
                                  Registrant Country Code:                     AT
                                  Registrant Phone Number:                     +43.69910780807
                                  Registrant Email:                            [email protected]
                                  Registrant Application Purpose:              P1
                                  Registrant Nexus Category:                   C31/AT
                                  Administrative Contact ID:                   C-SM7006B-MIXAPZ
                                  Administrative Contact Name:                 Stefan Mayr
                                  Administrative Contact Address1:             Mondscheingasse 6
                                  Administrative Contact City:                 Graz
                                  Administrative Contact Postal Code:          8010
                                  Administrative Contact Country:              Austria
                                  Administrative Contact Country Code:         AT
                                  Administrative Contact Phone Number:         +43.69910780807
                                  Administrative Contact Email:                [email protected]
                                  Administrative Application Purpose:          P1
                                  Administrative Nexus Category:               C31/AT
                                  Billing Contact ID:                          C-UHM65D7-HTWJET
                                  Billing Contact Name:                        Host Master
                                  Billing Contact Organization:                united-domains AG
                                  Billing Contact Address1:                    Gautinger Str. 10
                                  Billing Contact City:                        Starnberg
                                  Billing Contact State/Province:              Bayern
                                  Billing Contact Postal Code:                 82319
                                  Billing Contact Country:                     Germany
                                  Billing Contact Country Code:                DE
                                  Billing Contact Phone Number:                +49.8151368670
                                  Billing Contact Facsimile Number:            +49.81513686777
                                  Billing Contact Email:                       [email protected]
                                  Billing Application Purpose:                 P1
                                  Billing Nexus Category:                      C31/AT
                                  Technical Contact ID:                        C-UHM65D7-OYNZFB
                                  Technical Contact Name:                      Host Master
                                  Technical Contact Organization:              united-domains AG
                                  Technical Contact Address1:                  Gautinger Str. 10
                                  Technical Contact City:                      Starnberg
                                  Technical Contact State/Province:            Bayern
                                  Technical Contact Postal Code:               82319
                                  Technical Contact Country:                   Germany
                                  Technical Contact Country Code:              DE
                                  Technical Contact Phone Number:              +49.8151368670
                                  Technical Contact Facsimile Number:          +49.81513686777
                                  Technical Contact Email:                     [email protected]
                                  Technical Application Purpose:               P1
                                  Technical Nexus Category:                    C31/AT
                                  Name Server:                                 EMMA.NS.CLOUDFLARE.COM
                                  Name Server:                                 IVAN.NS.CLOUDFLARE.COM
                                  Created by Registrar:                        PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
                                  Last Updated by Registrar:                   UNITED-DOMAINS AG
                                  Last Transferred Date:                       Sun Apr 16 16:06:24 GMT 2017
                                  Domain Registration Date:                    Thu Sep 16 04:52:42 GMT 2010
                                  Domain Expiration Date:                      Sat Sep 15 23:59:59 GMT 2018
                                  Domain Last Updated Date:                    Mon Apr 17 06:01:29 GMT 2017
                                  DNSSEC:                                      false
                                  Enough of this shit

                                  Complain to the registry to yank his ticket.

                                  usTLD Nexus Requirements Policy for Registrants| About.US - About.US


                                  usTLD Nexus
                                  Requirements Policy

                                  Registrants in the usTLD must be either:

                                  1.A natural person (i) who is a United States citizen, (ii) who is a permanent resident of the United States of America or any of its possessions or territories, or (iii) whose primary place of domicile is in the United States of America or any of its possessions [Nexus Category 1],

                                  2.A United States entity or organization that is (i) incorporated within one of the fifty (50) U.S. states, the District of Columbia, or any of the United States possessions or territories, or (ii) organized or otherwise constituted under the laws of a state of the United States of America, the District of Columbia or any of its possessions or territories (including a federal, state, or local government of the United States or a political subdivision thereof, and non-commercial organizations based in the United States) [Nexus Category 2], or

                                  3.A foreign entity or organization that has a bona fide presence in the United States of America or any of its possessions or territories [Nexus Category 3].
                                  Normally if it was a domain innocent of any real wrongdoing I would just leave this be -- but under these circumstances -- he can go fuck himself -- next move is yours ...

                                  Comment

                                  • CaptainHowdy
                                    Too lazy to set a custom title
                                    • Dec 2004
                                    • 94731

                                    #18
                                    All hail k0nr4d ...

                                    Comment

                                    • Craft
                                      Confirmed User
                                      • Oct 2015
                                      • 169

                                      #19
                                      Anyone knows how to check if your site is cloned ?

                                      Comment

                                      • Paul&John
                                        Confirmed User
                                        • Aug 2005
                                        • 8643

                                        #20
                                        Nice info k0nr4d!
                                        Use coupon 'pauljohn' for a $1 discount at already super cheap NameSilo!
                                        Anal Webcams | Kinky Trans Cams Live | Hotwife XXX Tube | Get your Proxies here

                                        Comment

                                        • CaptainHowdy
                                          Too lazy to set a custom title
                                          • Dec 2004
                                          • 94731

                                          #21
                                          Bump for a great thread ...

                                          Comment

                                          • mikeworks
                                            Confirmed User
                                            • Apr 2010
                                            • 272

                                            #22
                                            Originally posted by Craft
                                            Anyone knows how to check if your site is cloned ?
                                            Check webmaster tools for backlinks from a cloned domain.

                                            Comment

                                            • RazorSharpe
                                              Confirmed User
                                              • Aug 2001
                                              • 2238

                                              #23
                                              Have a very similar issue.

                                              This is the offender's site: (google cache version)
                                              https://webcache.googleusercontent.c...&ct=clnk&gl=uk

                                              This is mine:
                                              https://www.projectvoyeur.com

                                              He has cloned over 100K pages on my site and counting. I contacted cloudflare who responded with their party line about not being the host so I was dead in the water.

                                              Previously, when contacting google (DMCA), they have taken action on sites like this. This time however, they did pretty much nothing. The fact that this person is cloning my site and then serving cloaked pages (which is why I showed the cached version above), didn't seem to bother the folk at Google at all.

                                              So I kinda figured I was stuck with this.
                                              Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

                                              Comment

                                              • TrafficTitan
                                                Confirmed User
                                                • Nov 2012
                                                • 350

                                                #24
                                                Google is too dumb to understand their cloaking. DMCA sometimes work but not always.

                                                Can you DMCA an entire domain?
                                                Does anybody have a good standardized message to send to google that works?

                                                Has anybody come up with a rock solid way to stop them? I've already implemented banning all cloudflare IPs. One way that does work if you DMCA cloudflare they will cough up the origin host. Then if you DMCA the origin host it frequently gets shut down. It would be great if there was a pro-active way to just prevent it though. The JS canonical seems interesting.

                                                In addition to the clones I also see people scraping everyone's titles and throwing them up on a BS site which always redirects to a random tube or advertiser from google serps.
                                                https://www.hentaicity.com/ | http://www.traffictitan.com/

                                                Comment

                                                • Lewis11
                                                  Confirmed User
                                                  • May 2016
                                                  • 400

                                                  #25
                                                  Nice info!

                                                  Comment

                                                  • sarettah
                                                    see you later, I'm gone
                                                    • Oct 2002
                                                    • 14297

                                                    #26
                                                    Bump for business

                                                    .
                                                    All cookies cleared!

                                                    Comment

                                                    • wocnom
                                                      Confirmed User
                                                      • Jan 2013
                                                      • 132

                                                      #27
                                                      I think there are like 3 possible ways to fight them. Notify about what they are doing:
                                                      1. their domain registrar
                                                      2. hosting they are using AND cloudflare
                                                      3. google

                                                      Combine all of them is the best way I suppose. I think it's possible to use DMCA in all three cases.

                                                      Comment

                                                      • Barry-xlovecam
                                                        It's 42
                                                        • Jun 2010
                                                        • 18083

                                                        #28
                                                        Go to the registry and hit them with the sledgehammer.

                                                        Comment

                                                        • TrafficTitan
                                                          Confirmed User
                                                          • Nov 2012
                                                          • 350

                                                          #29
                                                          If you contact the domain registrar does that actually do anything? I've never tried DMCA'ing the registrar.
                                                          https://www.hentaicity.com/ | http://www.traffictitan.com/

                                                          Comment

                                                          • Barry-xlovecam
                                                            It's 42
                                                            • Jun 2010
                                                            • 18083

                                                            #30
                                                            The REGISTRY not the Registrar -- shit flows downhill -- you have never worked in the corporate world?
                                                            You go right to the COB or the CEO's office -- shit happens fast when you pull a tiger's tail.

                                                            Pay an Attorney to write the letter to the COB and send it Certified mail or by DHL (if overseas) -- the shit will hit the fans.

                                                            Comment

                                                            • Craft
                                                              Confirmed User
                                                              • Oct 2015
                                                              • 169

                                                              #31
                                                              Thes works

                                                              On the top of .htaccess files add this.

                                                              "Header always append X-Frame-Options SAMEORIGIN"

                                                              Comment

                                                              • kmanrox
                                                                aka K-Man
                                                                • Oct 2001
                                                                • 29295

                                                                #32
                                                                Or via a custom scraper made in PHP that uses a pool of rotating client proxies, random, periodically.
                                                                Crypto HODLr
                                                                Crypto mining
                                                                Angel investor

                                                                Comment

                                                                • Smut-Talk
                                                                  I talk smut
                                                                  • Jul 2016
                                                                  • 176

                                                                  #33
                                                                  Craft made a point:

                                                                  On the server you can set the X-Frame-Options header, which tells the web browser how to treat the page when it is framed. It is possible to set this header to DENY, which blocks all loading of the page via frames. By setting it to SAMEORIGIN you can relax the restrict and only allow framing by pages on the same domain.

                                                                  On the Apache webserver this directive is set like so (on Debian/Ubuntu servers this is /etc/apache2/apache2.conf):

                                                                  Code:
                                                                  Header always append X-Frame-Options SAMEORIGIN
                                                                  Alternatively if you are using nginx then you can implement it in the following way:

                                                                  Code:
                                                                  add_header X-Frame-Options SAMEORIGIN;

                                                                  Unfortunately this header is only supported on more recent browsers


                                                                  Now for legacy browsers you will need to drop back to using a JavaScript framebusting code. It goes without saying however that this can be circumvented by a potential attacker through techniques such as double framing and exploiting cross site scripting filters in some browsers.

                                                                  Code:
                                                                  if(top != self) { top.location = self.location; }
                                                                  The latest recommendation from The Open Web Application Security Project (OWASP) is to include the following code in the <head> section of your web page:

                                                                  Code:
                                                                  <style id="antiClickjack">body{display:none !important;}</style>
                                                                  <script type="text/javascript">
                                                                     if (self === top) {
                                                                         var antiClickjack = document.getElementById("antiClickjack");
                                                                         antiClickjack.parentNode.removeChild(antiClickjack);
                                                                     } else {
                                                                         top.location = self.location;
                                                                     }
                                                                  </script>
                                                                  This works by disabling the whole page using the CSS style at the beginning and then later on in the javascript checking to see that the page is not framed. It then removes the style from the pages HTML thereby revealing the content. If it is framed then it sets itself as the parent page.

                                                                  This should work...

                                                                  Still shit falls down quick, do as Barry said; Enough of this shit

                                                                  Complain to the registry to yank his ticket.
                                                                  Last edited by Smut-Talk; 09-15-2017, 01:44 AM. Reason: cleaned up code
                                                                  This is my awesome signature!
                                                                  if you really have to, you can use: smuttalk-that apple thingy-websmut.com
                                                                  Don't forget to mention GFY in the subject!

                                                                  Comment

                                                                  • Smut-Talk
                                                                    I talk smut
                                                                    • Jul 2016
                                                                    • 176

                                                                    #34
                                                                    Originally posted by RazorSharpe
                                                                    Have a very similar issue.

                                                                    This is the offender's site: (google cache version)
                                                                    https://webcache.googleusercontent.c...&ct=clnk&gl=uk

                                                                    This is mine:
                                                                    https://www.projectvoyeur.com

                                                                    He has cloned over 100K pages on my site and counting. I contacted cloudflare who responded with their party line about not being the host so I was dead in the water.

                                                                    Previously, when contacting google (DMCA), they have taken action on sites like this. This time however, they did pretty much nothing. The fact that this person is cloning my site and then serving cloaked pages (which is why I showed the cached version above), didn't seem to bother the folk at Google at all.

                                                                    So I kinda figured I was stuck with this.
                                                                    maybe this help really quick:

                                                                    you can use .htaccess as the following

                                                                    Code:
                                                                    RewriteEngine On
                                                                    
                                                                    RewriteCond %{QUERY_STRING} !^id=[^&]+ [NC]
                                                                    # if referrer is bad.com
                                                                    RewriteCond %{HTTP_REFERER} (www\.)?bad\.com [NC]
                                                                    # then redirect to a different page
                                                                    RewriteRule !^404.shtm [L,NC,R=302]
                                                                    Just don't do a 404, do a redirect to a goatsie picture...
                                                                    I think when his page visitors see that, they won't be coming back..
                                                                    This is my awesome signature!
                                                                    if you really have to, you can use: smuttalk-that apple thingy-websmut.com
                                                                    Don't forget to mention GFY in the subject!

                                                                    Comment

                                                                    • CrazyMartin
                                                                      Confirmed User
                                                                      • Jan 2009
                                                                      • 340

                                                                      #35
                                                                      Js script is ugly and sometimes hard to do (put Js on every page) its much better redirect 301 or serve special page for scammer IPs


                                                                      Cloudflare IPS never Access your site so redirect based on Cloudflare id useless

                                                                      They use additional proxy and then sends to Cloudflare

                                                                      SO Just grabb proxy IP by puting on your page PHP script that display Client IP and configure webserver to serve special page for particulal ip

                                                                      Comment

                                                                      • JuicyBunny
                                                                        So Fucking Banned
                                                                        • Jun 2010
                                                                        • 2145

                                                                        #36
                                                                        Originally posted by Barry-xlovecam
                                                                        The REGISTRY not the Registrar -- shit flows downhill -- you have never worked in the corporate world?
                                                                        You go right to the COB or the CEO's office -- shit happens fast when you pull a tiger's tail.

                                                                        Pay an Attorney to write the letter to the COB and send it Certified mail or by DHL (if overseas) -- the shit will hit the fans.
                                                                        HI
                                                                        Can you or someone PM me the information regarding the registry? Not sure what you are talking about besides registrar. We have sent DMCAs Google, host and registrar.
                                                                        We have to file complaint against site cloning ours.
                                                                        Thanks

                                                                        Have tried K0nrads suggestions which were great but criminals seem to have found a work around even MojoHost cannot fix.

                                                                        Comment

                                                                        • JuicyBunny
                                                                          So Fucking Banned
                                                                          • Jun 2010
                                                                          • 2145

                                                                          #37
                                                                          I got it. Thanks!

                                                                          Comment

                                                                          • Brad Mitchell
                                                                            Confirmed User
                                                                            • Nov 2001
                                                                            • 9813

                                                                            #38
                                                                            What a great thread and a good read. Excellent digging Konrad! Great additions from others, too. GFY could be greater than MAGA with more useful threads like this.

                                                                            Brad
                                                                            President at MojoHost | brad at mojohost dot com | Skype MojoHostBrad
                                                                            71 industry awards for hosting and professional excellence since 1999

                                                                            Comment

                                                                            • Bladewire
                                                                              StraightBro
                                                                              • Aug 2003
                                                                              • 56228

                                                                              #39






                                                                              Skype: CallTomNow

                                                                              Comment

                                                                              • MKA
                                                                                Hey...
                                                                                • Nov 2011
                                                                                • 600

                                                                                #40
                                                                                So many opinions in one thread, so what is the best solution?
                                                                                High Quality Blogs/Links For Sale

                                                                                Comment

                                                                                • Barry-xlovecam
                                                                                  It's 42
                                                                                  • Jun 2010
                                                                                  • 18083

                                                                                  #41
                                                                                  1. The solution is for dumb-ass Google to delist them.
                                                                                  2. Dense users need be more aware of the browser address location bar.


                                                                                  You cannot stop crime or scammers -- that has been proven over and over historically.

                                                                                  Every registry (where the registrar buys the names they sell you) has a AUP and TOS and will (or should ) accept certified mail or a FedEx / DHL overnight letter with a complaint at their PHYSICAL ADDRESS. ICANN says they need a physical address to accept mail at -- do the legwork yourself or hire a lawyer (or other qualified person) to do it for you.

                                                                                  Comment

                                                                                  • JuicyBunny
                                                                                    So Fucking Banned
                                                                                    • Jun 2010
                                                                                    • 2145

                                                                                    #42
                                                                                    Originally posted by Barry-xlovecam
                                                                                    1. The solution is for dumb-ass Google to delist them.
                                                                                    2. Dense users need be more aware of the browser address location bar.


                                                                                    You cannot stop crime or scammers -- that has been proven over and over historically.

                                                                                    Every registry (where the registrar buys the names they sell you) has a AUP and TOS and will (or should ) accept certified mail or a FedEx / DHL overnight letter with a complaint at their PHYSICAL ADDRESS. ICANN says they need a physical address to accept mail at -- do the legwork yourself or hire a lawyer (or other qualified person) to do it for you.
                                                                                    Need to thank you for these registry tips. We had a domain lose its reg on the afternoon of the morning we filed an infringement notice for cloning.
                                                                                    We plan on using this method ALOT now because as you say scammers and criminals will not go away and it works. If you file the right complaint.

                                                                                    Comment

                                                                                    • k0nr4d
                                                                                      Confirmed User
                                                                                      • Aug 2006
                                                                                      • 9231

                                                                                      #43
                                                                                      What about putting some super unique piece of text on your site and using google search api to check if it exists on any other domain to check if anyone has done this to your site?
                                                                                      Mechanical Bunny Media
                                                                                      Mechbunny Tube Script | Mechbunny Webcam Aggregator Script | Custom Web Development

                                                                                      Comment

                                                                                      • JuicyBunny
                                                                                        So Fucking Banned
                                                                                        • Jun 2010
                                                                                        • 2145

                                                                                        #44
                                                                                        Originally posted by k0nr4d
                                                                                        What about putting some super unique piece of text on your site and using google search api to check if it exists on any other domain to check if anyone has done this to your site?
                                                                                        Thats a good idea. We're doing a few things and have some friends helping as well.

                                                                                        Comment

                                                                                        • SIK
                                                                                          Confirmed User
                                                                                          • Dec 2006
                                                                                          • 1497

                                                                                          #45
                                                                                          I've had my sites heavily affected by this shit over the years.

                                                                                          You'll probably call me crazy but - http://www.clone-site.com - I wrote all that in a day.

                                                                                          Will expand on it during the following days, and I'm actually going to clone a few sites on subdomains, just to demonstrate it all.

                                                                                          Silly as it can be, but my goal is to get this shit recognized as an issue and to get google to provide some kind of "report tool" for affected sites.

                                                                                          Yeah, I know - but I'm an optimist.
                                                                                          ¤´¨)
                                                                                          ¸.•´¸.•*´¨) ¸.•*¨)
                                                                                          (¸.•´ (¸.•`¤ICQ:491 496 482

                                                                                          Comment

                                                                                          • Brad Mitchell
                                                                                            Confirmed User
                                                                                            • Nov 2001
                                                                                            • 9813

                                                                                            #46
                                                                                            I'm not technical like the rest of our team here.. so hopefully I don't mangle this-

                                                                                            The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones. A clever hacker can work around Java obfuscation, too, though. One of our techs says "I've broken down sucuri's java obfuscation with a simple PHP script and a system call to the `node` java interpreter."

                                                                                            Sincerely,

                                                                                            Brad
                                                                                            President at MojoHost | brad at mojohost dot com | Skype MojoHostBrad
                                                                                            71 industry awards for hosting and professional excellence since 1999

                                                                                            Comment

                                                                                            • Barry-xlovecam
                                                                                              It's 42
                                                                                              • Jun 2010
                                                                                              • 18083

                                                                                              #47
                                                                                              Originally posted by JuicyBunny
                                                                                              Need to thank you for these registry tips. We had a domain lose its reg on the afternoon of the morning we filed an infringement notice for cloning.
                                                                                              We plan on using this method ALOT now because as you say scammers and criminals will not go away and it works. If you file the right complaint.
                                                                                              Good to hear you got results.

                                                                                              I learned a long time ago shit flows downhill FAST.

                                                                                              Comment

                                                                                              • xxx6live
                                                                                                Confirmed User
                                                                                                • Dec 2012
                                                                                                • 279

                                                                                                #48
                                                                                                Originally posted by Brad Mitchell
                                                                                                I'm not technical like the rest of our team here.. so hopefully I don't mangle this-

                                                                                                The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones.
                                                                                                Yes, this works perfect most of the times.

                                                                                                But: one site of mine did not react to the javascript. They had learnt to use the

                                                                                                Code:
                                                                                                <iframe sandbox ...>
                                                                                                tag which stops script execution in the iframe, so the javascript in my iframed site was never being executed.

                                                                                                Comment

                                                                                                • JuicyBunny
                                                                                                  So Fucking Banned
                                                                                                  • Jun 2010
                                                                                                  • 2145

                                                                                                  #49
                                                                                                  Originally posted by SIK
                                                                                                  I've had my sites heavily affected by this shit over the years.

                                                                                                  You'll probably call me crazy but - http://www.clone-site.com - I wrote all that in a day.

                                                                                                  Will expand on it during the following days, and I'm actually going to clone a few sites on subdomains, just to demonstrate it all.

                                                                                                  Silly as it can be, but my goal is to get this shit recognized as an issue and to get google to provide some kind of "report tool" for affected sites.

                                                                                                  Yeah, I know - but I'm an optimist.
                                                                                                  Love the site. Very helpful.
                                                                                                  You and Barry should hook up and create a solution to kill these fuckers.
                                                                                                  Its obvious Google is less than receptive to helping.

                                                                                                  Comment

                                                                                                  • JuicyBunny
                                                                                                    So Fucking Banned
                                                                                                    • Jun 2010
                                                                                                    • 2145

                                                                                                    #50
                                                                                                    Originally posted by Brad Mitchell
                                                                                                    I'm not technical like the rest of our team here.. so hopefully I don't mangle this-

                                                                                                    The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones. A clever hacker can work around Java obfuscation, too, though. One of our techs says "I've broken down sucuri's java obfuscation with a simple PHP script and a system call to the `node` java interpreter."

                                                                                                    Sincerely,

                                                                                                    Brad
                                                                                                    Thats great advice. Your techs have been very helpful to us.
                                                                                                    Still, we need a solution for people who are scraping and downloading our content to their sites. So far, no cure for that except to complain to cloudflare and the registries.
                                                                                                    I'd like to block these guys before they create issues.

                                                                                                    Comment

                                                                                                    Working...