Question What is this? http://gbatemp.gukovo.org/

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
RSS is slower than instant. This is more likely some kind of fetch and rewrite or caching service/reverse proxy twisted in with something that can alter it (rewrite if you want to use a more common term).

Way back when one might have used something like
http://curl.haxx.se/

Today the caching stuff is probably the better method. The two Fredrica Bernkastel mentioned are the bigger names in it
http://www.squid-cache.org/
https://www.varnish-cache.org/about

I have been trying to think of a test I could do as I can write HTML here to have some fun ( http://www.cracked.com/blog/this-is-why-you-dont-steal-from-cracked/ ) or possibly leak some info but I am far too lazy/ignorant and actually it is probably going to be reasonably hard (most people that cache own the site being cached so security is not the highest but at the same time it is still a concern).
 

notimp

Well-Known Member
Member
Joined
Sep 18, 2007
Messages
5,779
Trophies
1
XP
4,419
Country
Laos
Which also is highly ranked on google on some common search terms?

Ehm?

Only realized it, when I went to login to this site - and my login didn't work.

Guess its time to change my password...

Does anyone have any idea what gave us the honors of existing twice on the web as of now? Also - admins didn't notice that the entire database gets scraped, almost in realtime?

Of course this is the wrong forum for it, but any reactions would be nice.

Whois is privacy protected:
https://www.whois.com/whois/kem-inc.org
 
Last edited by notimp,

notimp

Well-Known Member
Member
Joined
Sep 18, 2007
Messages
5,779
Trophies
1
XP
4,419
Country
Laos
Thank you for moving it to the "correct forum". Where almost no one will see it. ;)

A comment on if this is indeed a phishing site from the perspective of this sites admins would be welcome.

(When this thread was moved this was mirrored on kem-inc.com/forum almost immediately. Direct database access?)
-

According to web-archive.org the domain went live in June of 2017, then delivered 403s up until the 23th of march last month, which was the last time web-archive.org scraped them. Between then and now the site started to host gbatemp content (seemingly in realtime) - and also got into the google cache.

Here are the three available (older) snapshots:

https://web.archive.org/web/20170626081117/http://kem-inc.com/
https://web.archive.org/web/20170928185940/http://kem-inc.com/
https://web.archive.org/web/20180323173616/http://kem-inc.com/

For google cache entries of this happening, just search for site:kem-inc.com on google - in case the sites behavior suddenly changes.
 
Last edited by notimp,
  • Like
Reactions: KiiWii

Tom Bombadildo

Dick, With Balls
Member
Joined
Jul 11, 2009
Messages
14,573
Trophies
2
Age
29
Location
I forgot
Website
POCKET.LIKEITS
XP
19,185
Country
United States
First of all, this section is reviewed by nearly all the staff when they're active, so people will "see it".

Secondly, it's more than likely this is just a proxy page for use in places GBATemp might be blocked (ie. schools). These pages have come up occasionally, and usually don't last more than a few months at best. Whether it's a phishing site or not I couldn't say, but I doubt it is since most people with an account already here are generally aware of the correct URL when visiting, or searching, GBATemp.
 

notimp

Well-Known Member
Member
Joined
Sep 18, 2007
Messages
5,779
Trophies
1
XP
4,419
Country
Laos
Not sufficient. School proxies dont tend to copy entire databases.

Also proxies dont tend to mimic sites entirely - because that behavior represents more than a proxy.

A comment from anyone more involved would still be appreciated. This is a breach of trust, not a "service given for 12 year olds".

This could be anything from an attempt to cover up a data breach, to a very, very, very unfortunate mishap in configuring a non public backup domain. (Under the name kem-inc.com ? )

"Those sites usually don't last long." is an interesting comment as well - as in general you have no control over the behavior of whoever is hosting the phishing site. As long as google/the registrar doesn't block them, because they are being reported, NOTHING happens to clone/mirror sites in general.

So if anyone is willing to come up with a response that actually passes the "I'm older than 5 years old, and have an Idea how the internet works" test - please voice your thoughts.

In the meantime, where do I get full database access to gbatemp to host my own mirror of this site under a different domain? For school proxy purposes - of course...

edit:

Here are some sourcecode snippets to show that .js gets loaded directly from their domain:
https://imgur.com/a/dbheXyz

This is not a proxy.
 
Last edited by notimp,

Costello

Headmaster
Administrator
Joined
Oct 24, 2002
Messages
14,198
Trophies
4
XP
19,644
Not sufficient. School proxies dont tend to copy entire databases.

Also proxies dont tend to mimic sites entirely - because that behavior represents more than a proxy.

A comment from anyone more involved would still be appreciated. This is a breach of trust, not a "service given for 12 year olds".

This could be anything from an attempt to cover up a data breach, to a very, very, very unfortunate mishap in configuring a non public backup domain. (Under the name kem-inc.com ? )

"Those sites usually don't last long." is an interesting comment as well - as in general you have no control over the behavior of whoever is hosting the phishing site. As long as google/the registrar doesn't block them, because they are being reported, NOTHING happens to clone/mirror sites in general.

So if anyone is willing to come up with a response that actually passes the "I'm older than 5 years old, and have an Idea how the internet works" test - please voice your thoughts.

In the meantime, where do I get full database access to gbatemp to host my own mirror of this site under a different domain? For school proxy purposes - of course...

edit:

Here are some sourcecode snippets to show that .js gets loaded directly from their domain:
https://imgur.com/a/dbheXyz

This is not a proxy.
you are making no sense and obviously dont know what a proxy is.

1) what would be the point in doing phishing if, according to you, they had a copy of the entire database and source code ? they would already have everyone’s password hashes and the means to log in

2) what’s the first thing a hacker does when they hack a site? re-host the site under a different domain? how does that make any sense? why not post all the juicy admin threads or PMs somewhere to show off?

3) you are talking about copies of the database yet you say this is a near real time mirror. so what’s your theory ? they are copying our database every couple of minutes ?

this looks like a simple proxy/mirror with cache (which is why you dont get instant updates) likely set up by someone whose motives are:
- bypassing a firewall or other blocking devices
- someone who needs HTTP access (we enforced HTTPS recently)
- or someone who actually is doing phishing.
- or someone trying to build up a well-ranked site on search engines to set up high value keywords

now if you have any additional information please share it with me privately but dont try spreading some kind of panic based on nonsensical conclusions.
try sites like kproxy.com and others, you’ll see they work just the same.

and should there be any breach we would of course provide detailed information as we did 7-8 years ago when we got hacked. Full transparency, period.
 
Last edited by Costello,

xkrazykidx

Active Member
Newcomer
Joined
Oct 21, 2009
Messages
35
Trophies
1
XP
1,432
Country
United States
I did a couple searches and did not see this posted anywhere and I apologize if it has been discussed prior but was doing a google search for something switch related (fusee-launcher.py error) and noticed a couple GBATemp links with the incorrect url. Just wanted to warn others who may not even take that extra second to look at the url and may only read the thread titles.
 

Attachments

  • dundeerootcanals.jpg
    dundeerootcanals.jpg
    138.3 KB · Views: 296
  • Like
Reactions: AlanJohn and Seriel

Seriel

Doing her best
Member
Joined
Aug 18, 2015
Messages
3,297
Trophies
3
Age
24
Location
UK
XP
5,944
Country
United Kingdom
Yeah there are a few of these mirror sites around, they're probably just a simple reverse proxy setup to monitor communication and potentially steal passwords if you login.
I wonder if it's possible for GBAtemp's code to check that it's on the right domain before displaying any pages.
In any case, it goes without saying but double-check the address bar says https://gbatemp.net/ before logging in here.
 

Uiaad

GBAtemp's resident guinea pig
Member
Joined
Dec 23, 2008
Messages
591
Trophies
2
Location
United Kingdom
XP
3,225
Country
United Kingdom
I discussed this with @Costello about a week and also did some investigating afterwards. This is not the only one out there doing this and is nothing to worry about. That one particular i can guarantee is not collecting any data and is just a domain pointing at the GBATemp servers
 
  • Like
Reactions: Seriel

Seriel

Doing her best
Member
Joined
Aug 18, 2015
Messages
3,297
Trophies
3
Age
24
Location
UK
XP
5,944
Country
United Kingdom
I discussed this with @Costello about a week and also did some investigating afterwards. This is not the only one out there doing this and is nothing to worry about. That one particular i can guarantee is not collecting any data and is just a domain pointing at the GBATemp servers
While they could just be a CNAME routing to gbatemp.net domain (Which is fine), whats to say some of them aren't an actual proxy which monitors all communication?
 

Uiaad

GBAtemp's resident guinea pig
Member
Joined
Dec 23, 2008
Messages
591
Trophies
2
Location
United Kingdom
XP
3,225
Country
United Kingdom
While they could just be a CNAME routing to gbatemp.net domain (Which is fine), what's to say some of them aren't an actual proxy which monitors all communication?

There is always that possibility that could happen but to be effective they would also need to get a pretty high ranking on search engines. When i found that particular domain i was on page 3 or 4 googling my username which is not common
 
  • Like
Reactions: Seriel

hippy dave

BBMB
Member
Joined
Apr 30, 2012
Messages
9,789
Trophies
2
XP
28,220
Country
United Kingdom
taraftartekstil dot com, what's that all about? BTW I wouldn't put your login details in there unless staff confirms it's a legit mirror or something.
 

FAST6191

Techromancer
Editorial Team
Joined
Nov 21, 2005
Messages
36,798
Trophies
3
XP
28,284
Country
United Kingdom
As mentioned various people mirror the site at times, here is one from 2015
https://gbatemp.net/threads/what-is-this-http-gbatemp-gukovo-org.397344/

For giggles I grabbed both and did a diff. Rewrote the relevant URLs, removed the https from various links (including from things like facebook) and then added a yadro.ru script to the bottom of the page (technically I think it is an advertising service, however it is dodgy even by Russian standards).
Reasons for it all vary but yeah sound policy is never put your details into something like that. As usual it is stuck behind a cloudflare privacy shield thing.
 
  • Like
Reactions: Subtle Demise

Costello

Headmaster
Administrator
Joined
Oct 24, 2002
Messages
14,198
Trophies
4
XP
19,644
EDIT: all similar threads have been merged into one

I have inspected the logs and determined that these are simple proxies. I will be banning the IPs of these proxies from now on.
I've searched this forum to look for all reports of illegal proxies and banned all the proxies I could find.

please report here if you see any new illegal proxy
 
Last edited by Costello,

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
  • ZeroT21 @ ZeroT21:
    it wasn't a question, it was fact
  • BigOnYa @ BigOnYa:
    He said he had 3 different doctors apt this week, so he prob there. Something about gerbal extraction, I don't know.
    +1
  • ZeroT21 @ ZeroT21:
    bored, guess i'll spread more democracy
  • LeoTCK @ LeoTCK:
    @K3Nv2 one more time you say such bs to @BakerMan and I'll smack you across the whole planet
  • K3Nv2 @ K3Nv2:
    Make sure you smack my booty daddy
    +1
  • LeoTCK @ LeoTCK:
    telling him that my partner is luke...does he look like someone with such big ne
    eds?
  • LeoTCK @ LeoTCK:
    do you really think I could stand living with someone like luke?
  • LeoTCK @ LeoTCK:
    I suppose luke has "special needs" but he's not my partner, did you just say that to piss me off again?
  • LeoTCK @ LeoTCK:
    besides I had bigger worries today
  • LeoTCK @ LeoTCK:
    but what do you know about that, you won't believe me anyways
  • K3Nv2 @ K3Nv2:
    @BigOnYa can answer that
  • BigOnYa @ BigOnYa:
    BigOnYa already left the chat
  • K3Nv2 @ K3Nv2:
    Biginya
  • BigOnYa @ BigOnYa:
    Auto correct got me, I'm on my tablet, i need to turn that shit off
  • K3Nv2 @ K3Nv2:
    With other tabs open you perv
  • BigOnYa @ BigOnYa:
    I'm actually in my shed, bout to cut 2-3 acres of grass, my back yard.
  • K3Nv2 @ K3Nv2:
    I use to have a guy for that thanks richard
  • BigOnYa @ BigOnYa:
    I use my tablet to stream to a bluetooth speaker when in shed. iHeartRadio, FlyNation
  • K3Nv2 @ K3Nv2:
    While the victims are being buried
  • K3Nv2 @ K3Nv2:
    Grave shovel
  • BigOnYa @ BigOnYa:
    Nuh those goto the edge of the property (maybe just on the other side of)
  • K3Nv2 @ K3Nv2:
    On the neighbors side
    +1
  • BigOnYa @ BigOnYa:
    Yup, by the weird smelly green bushy looking plants.
    K3Nv2 @ K3Nv2: https://www.the-sun.com/news/10907833/self-checkout-complaints-new-target-dollar-general-policies...