Question What is this? http://gbatemp.gukovo.org/

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
Yeah do not use your login data on clone sites. It is not a good plan.

They appear to be on different IPs and looking at the source it looks like an odd mirror (the copy is missing various indentation and layout). The domain uses some kind of privacy blocking for whois requests (somewhere in Australia but mine are based in Canada so that means nothing)

It could still be a mirror spammer that stepped out of a time machine from 2008 but I really did think most of those went away outside China. If I had to guess some web developer somewhere is having some fun with http://curl.haxx.se/ or something similar and used GBAtemp as a test site, though the adfly link in the source makes me wonder if it is not instead a kind of proxy/mirror type site to access things at work/school and maybe gain some monies along the way when shared with their mates. The IP I get from it traces back to cloudflare but such things are often free with basic hosting so I am not going to go too much further there. The domain itself also appears to be on email blacklists too. I am not invested enough in this to do the full hacker workup/analysis.
 

d0k3

3DS Homebrew Legend
OP
Member
Joined
Dec 3, 2004
Messages
2,786
Trophies
1
XP
3,896
Country
Germany
Look at that - they even go the extra mile and replace all occurences of "gbatemp.net" with "gbatemp.gukovo.org":
gbatemp.png


On another note, our user accounts don't seem to work there. I entered my username with a wrong password and got the sign up form.
 

Frederica Bernkastel

Well-Known Member
Member
GBAtemp Patron
Joined
Jan 31, 2008
Messages
3,169
Trophies
2
Age
28
Location
Hinamizawa
XP
989
Country
Japan
Looking at this site, it seems to be a caching proxy of some kind - I would assume Squid or Varnish - with some rewrite logic, hooked up directly to Cloudflare for obfuscating its origin. Making requests to its copy of the login page redirects to the Registration page which is indicative of it not actually making backend requests so I would assume that it's actually fairly harmless. Possibly a ploy to mess with SEO, or as FAST said someone trying to bypass a URL filter?
 

Gukovo Sucks

New Member
Newbie
Joined
Sep 20, 2015
Messages
1
Trophies
0
XP
56
Country
Brazil
If you find him using any ads on your mirrored site view the source code to find the ad code and then contact the ad networks he is using and this will prevent him from profiting off it. As for copying the site, not much we can do but report him to Google and his web host or you could also issue DMCA notices against his site as well. He is ripping off mostly gaming related sites and basically steals all their traffic and profits off it.
 
D

Deleted User

Guest
If you find him using any ads on your mirrored site view the source code to find the ad code and then contact the ad networks he is using and this will prevent him from profiting off it. As for copying the site, not much we can do but report him to Google and his web host or you could also issue DMCA notices against his site as well. He is ripping off mostly gaming related sites and basically steals all their traffic and profits off it.
Let me guess, they copied your site too?
 

yodamerlin

Bok bok.
Member
Joined
Apr 1, 2014
Messages
322
Trophies
0
XP
1,050
Country
United Kingdom
They did the same with my site (nicoblog) i'm all ears on how to stop them.

Edit: I've asked cloudflare for their real hosting.
Surly you could discover their IP since they have got your site. Just add some random file to the webserver, and access in through the proxy/whatever it is. Then check the logs on what accessed that file.
 
  • Like
Reactions: Julie_Pilgrim

DarkFlare69

Well-Known Member
Member
Joined
Dec 8, 2014
Messages
5,147
Trophies
2
Location
Chicago
XP
4,736
Country
United States
If you find him using any ads on your mirrored site view the source code to find the ad code and then contact the ad networks he is using and this will prevent him from profiting off it. As for copying the site, not much we can do but report him to Google and his web host or you could also issue DMCA notices against his site as well. He is ripping off mostly gaming related sites and basically steals all their traffic and profits off it.
You made an account here just to say they suck? xD
 
D

Deleted User

Guest
Sorry for doublepost but i think it's important to announce they stopped doing it for both gbatemp and nicoblog! http://gbatemp.gukovo.org/ now redirects to other site. They are still doing it for other websites though.

Seems solved!
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
Heh that must have been recent as I stumbled across this thread the other day.

Anyway same setup. Domain privacy, couldflare hosted and mirroring/editing, though I did not seen an adfly link this time. No time or desire to do a full workup. If you want to speak to cloudflare again then by all means go for it.


Code:
ping gbatemp.gukovo.org
PING gbatemp.gukovo.org (104.27.153.105) 56(84) bytes of data.
64 bytes from 104.27.153.105: icmp_seq=1 ttl=57 time=7.13 ms
64 bytes from 104.27.153.105: icmp_seq=2 ttl=57 time=7.49 ms
^C64 bytes from 104.27.153.105: icmp_seq=3 ttl=57 time=7.82 ms

--- gbatemp.gukovo.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 10081ms
rtt min/avg/max/mdev = 7.136/7.483/7.823/0.289 ms
whois 104.27.153.105

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=104.27.153.105?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       104.16.0.0 - 104.31.255.255
CIDR:           104.16.0.0/12
NetName:        CLOUDFLARENET
NetHandle:      NET-104-16-0-0-1
Parent:         NET104 (NET-104-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS13335
Organization:   CloudFlare, Inc. (CLOUD14)
RegDate:        2014-03-28
Updated:        2015-10-01
Comment:        https://www.cloudflare.com
Ref:            http://whois.arin.net/rest/net/NET-104-16-0-0-1



OrgName:        CloudFlare, Inc.
OrgId:          CLOUD14
Address:        101 Townsend Street
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2010-07-09
Updated:        2015-10-08
Comment:        http://www.cloudflare.com/
Ref:            http://whois.arin.net/rest/org/CLOUD14


OrgNOCHandle: NOC11962-ARIN
OrgNOCName:   NOC
OrgNOCPhone:  +1-650-319-8930 
OrgNOCEmail:  [email protected]
OrgNOCRef:    http://whois.arin.net/rest/poc/NOC11962-ARIN

OrgAbuseHandle: ABUSE2916-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-319-8930 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2916-ARIN

OrgTechHandle: ADMIN2521-ARIN
OrgTechName:   Admin
OrgTechPhone:  +1-650-319-8930 
OrgTechEmail:  [email protected]
OrgTechRef:    http://whois.arin.net/rest/poc/ADMIN2521-ARIN

RTechHandle: ADMIN2521-ARIN
RTechName:   Admin
RTechPhone:  +1-650-319-8930 
RTechEmail:  [email protected]
RTechRef:    http://whois.arin.net/rest/poc/ADMIN2521-ARIN

RAbuseHandle: ABUSE2916-ARIN
RAbuseName:   Abuse
RAbusePhone:  +1-650-319-8930 
RAbuseEmail:  [email protected]
RAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2916-ARIN

RNOCHandle: NOC11962-ARIN
RNOCName:   NOC
RNOCPhone:  +1-650-319-8930 
RNOCEmail:  [email protected]
RNOCRef:    http://whois.arin.net/rest/poc/NOC11962-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


whois gukovo.org
Domain Name: GUKOVO.ORG
Domain ID: D170153720-LROR
WHOIS Server:
Referral URL: http://www.PublicDomainRegistry.com
Updated Date: 2015-12-18T15:17:29Z
Creation Date: 2013-11-12T05:56:32Z
Registry Expiry Date: 2016-11-12T05:56:32Z
Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Sponsoring Registrar IANA ID: 303
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registrant ID: PP-SP-001
Registrant Name: Domain Admin
Registrant Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Registrant Street: C/O ID#10760, PO Box 16
Registrant Street: Note - Visit PrivacyProtect.org
Registrant Street: to contact the domain owner/operator
Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Admin ID: PP-SP-001
Admin Name: Domain Admin
Admin Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Admin Street: C/O ID#10760, PO Box 16
Admin Street: Note - Visit PrivacyProtect.org
Admin Street: to contact the domain owner/operator
Admin City: Nobby Beach
Admin State/Province: Queensland
Admin Postal Code: QLD 4218
Admin Country: AU
Admin Phone: +45.36946676
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Tech ID: PP-SP-001
Tech Name: Domain Admin
Tech Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Tech Street: C/O ID#10760, PO Box 16
Tech Street: Note - Visit PrivacyProtect.org
Tech Street: to contact the domain owner/operator
Tech City: Nobby Beach
Tech State/Province: Queensland
Tech Postal Code: QLD 4218
Tech Country: AU
Tech Phone: +45.36946676
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: ANNA.NS.CLOUDFLARE.COM
Name Server: JACK.NS.CLOUDFLARE.COM
DNSSEC: unsigned
>>> Last update of WHOIS database: 2016-01-23T10:32:04Z <<<

"For more information on Whois status codes, please visit https://icann.org/epp"

Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.
 
  • Like
Reactions: TeamScriptKiddies

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • K3Nv2 @ K3Nv2:
    @Sicklyboy, $150 isn't that bad for a jtag slim on ebay
  • Veho @ Veho:
    I only wish it was actually playable.
  • Veho @ Veho:
    There's a guy on the Tube of You that makes playable mechanical arcade games out of Lego. This could work on the same principle.
  • Veho @ Veho:
    Just a couple of guys taking their manatee out for some fresh air, why you have to molest them?
  • Veho @ Veho:
    Stupid Chinese shop switched their shipping company and this one is slooooooow.
  • LeoTCK @ LeoTCK:
    STOP BUYING CHINESE CRAP THEN
  • LeoTCK @ LeoTCK:
    SUPPORT LOCAL PRODUCTS, MAKE REVOLUTION
  • LeoTCK @ LeoTCK:
    THEY KEEP REMOVING LOCAL SHIt AND REPLACING WItH INFERIOR CHINESE CRAP
  • LeoTCK @ LeoTCK:
    THATS WHY MY PARTNER CANT GET A GOOTWEAR HIS SIZE ANYMORE
  • LeoTCK @ LeoTCK:
    HE HAS BIG FOOT AND BIG DUCK
  • LeoTCK @ LeoTCK:
    d*ck i mean*
  • LeoTCK @ LeoTCK:
    lol
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
    AdRoz78 @ AdRoz78: Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit...