Question What is this? http://gbatemp.gukovo.org/

Discussion in 'Site Discussions & Suggestions' started by d0k3, Sep 14, 2015.

  1. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    As the title says. I found this by accident via Google. Seems to be an exact mirror of GBAtemp.net. I was too scared (but still somewhat tempted) to use my login data to login there.

    Gukovo, btw, is a a town in Russia.
     
    Last edited by d0k3, Sep 16, 2015
    osirisjem likes this.
  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,871
    9,782
    Nov 21, 2005
    United Kingdom
    Yeah do not use your login data on clone sites. It is not a good plan.

    They appear to be on different IPs and looking at the source it looks like an odd mirror (the copy is missing various indentation and layout). The domain uses some kind of privacy blocking for whois requests (somewhere in Australia but mine are based in Canada so that means nothing)

    It could still be a mirror spammer that stepped out of a time machine from 2008 but I really did think most of those went away outside China. If I had to guess some web developer somewhere is having some fun with http://curl.haxx.se/ or something similar and used GBAtemp as a test site, though the adfly link in the source makes me wonder if it is not instead a kind of proxy/mirror type site to access things at work/school and maybe gain some monies along the way when shared with their mates. The IP I get from it traces back to cloudflare but such things are often free with basic hosting so I am not going to go too much further there. The domain itself also appears to be on email blacklists too. I am not invested enough in this to do the full hacker workup/analysis.
     
    SLiV3R, Margen67 and HaloEffect17 like this.
  3. d0k3
    OP

    d0k3 3DS Homebrew Legend

    Member
    2,672
    2,676
    Dec 3, 2004
    Gambia, The
    Look at that - they even go the extra mile and replace all occurences of "gbatemp.net" with "gbatemp.gukovo.org":
    gbatemp.png

    On another note, our user accounts don't seem to work there. I entered my username with a wrong password and got the sign up form.
     
    DarkFlare69 and HaloEffect17 like this.
  4. Frederica Bernkastel

    Frederica Bernkastel WebPerf and PWA advocate; @antoligy on Twitter

    Member
    GBAtemp Patron
    Frederica Bernkastel is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,154
    765
    Jan 31, 2008
    United Kingdom
    Hinamizawa
    Looking at this site, it seems to be a caching proxy of some kind - I would assume Squid or Varnish - with some rewrite logic, hooked up directly to Cloudflare for obfuscating its origin. Making requests to its copy of the login page redirects to the Registration page which is indicative of it not actually making backend requests so I would assume that it's actually fairly harmless. Possibly a ploy to mess with SEO, or as FAST said someone trying to bypass a URL filter?
     
    Margen67 likes this.
  5. NicoBlogs

    NicoBlogs GBAtemp Regular

    Member
    289
    89
    Apr 19, 2013
    United States
    USA
    They did the same with my site (nicoblog) i'm all ears on how to stop them.

    Edit: I've asked cloudflare for their real hosting.
     
    HaloEffect17 likes this.
  6. Blaze163

    Blaze163 The White Phoenix's purifying flame.

    Member
    3,769
    789
    Nov 19, 2008
    Coventry, UK
    Just a cheap imitation. Doesn't even have an Evil Pikachu.
     
  7. Gukovo Sucks

    Gukovo Sucks Newbie

    Newcomer
    1
    2
    Sep 20, 2015
    Brazil
    If you find him using any ads on your mirrored site view the source code to find the ad code and then contact the ad networks he is using and this will prevent him from profiting off it. As for copying the site, not much we can do but report him to Google and his web host or you could also issue DMCA notices against his site as well. He is ripping off mostly gaming related sites and basically steals all their traffic and profits off it.
     
    Margen67 and HaloEffect17 like this.
  8. NicoBlogs

    NicoBlogs GBAtemp Regular

    Member
    289
    89
    Apr 19, 2013
    United States
    USA
    Let me guess, they copied your site too?
     
  9. yodamerlin

    yodamerlin Bok bok.

    Member
    309
    162
    Apr 1, 2014
    Surly you could discover their IP since they have got your site. Just add some random file to the webserver, and access in through the proxy/whatever it is. Then check the logs on what accessed that file.
     
  10. DarkFlare69

    DarkFlare69 GBAtemp Psycho!

    Member
    4,766
    2,621
    Dec 8, 2014
    United States
    Ohio
    You made an account here just to say they suck? xD
     
  11. HaloEffect17

    HaloEffect17 Splatoon Fan

    Member
    1,044
    981
    Jul 1, 2015
    Canada
    I wouldn't trust that mirror site, exactly. :unsure:
     
  12. osm70

    osm70 GBAtemp Advanced Fan

    Member
    963
    398
    Apr 17, 2011
    Czech Republic
    My account doesn't work. Registration is broken and doesn't work.
    So, how is anyone supposed to do anything?
     
  13. Depravo

    Depravo KALSARIKÄNNIT

    Global Moderator
    GBAtemp Patron
    Depravo is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    5,259
    3,576
    Oct 13, 2008
    Purgatory
    But now they have your password. I expect your account will be making posts about male enhancement pills any day now.
     
    CIAwesome526, Seriel, CeeDee and 11 others like this.
  14. osm70

    osm70 GBAtemp Advanced Fan

    Member
    963
    398
    Apr 17, 2011
    Czech Republic
    I am not that stupid. Password can be changed.
     
  15. NicoBlogs

    NicoBlogs GBAtemp Regular

    Member
    289
    89
    Apr 19, 2013
    United States
    USA
    I've filled my complain to cloudflare and they forwarded it to their hosting.
    If GBATemp wants to fill a complain as well here is the info:

    Hosting Provider: INFERNO-NL-DE
    Abuse Contact: abuse@serverius.net
     
    CeeDee, I pwned U!, Margen67 and 3 others like this.
  16. NicoBlogs

    NicoBlogs GBAtemp Regular

    Member
    289
    89
    Apr 19, 2013
    United States
    USA
    Sorry for doublepost but i think it's important to announce they stopped doing it for both gbatemp and nicoblog! http://gbatemp.gukovo.org/ now redirects to other site. They are still doing it for other websites though.

    Seems solved!
     
  17. TeamScriptKiddies

    TeamScriptKiddies Licensed Nintendo (indie) Game Developer

    Member
    1,917
    1,330
    Apr 3, 2014
    United States
    Planet Earth :P
    Just assume its a phishing trap and move on.....
     
  18. gudenau

    gudenau Largely ignored

    Member
    GBAtemp Patron
    gudenau is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    3,304
    1,253
    Jul 7, 2010
    United States
    /dev/random
    It does not exist for me.
     
  19. NicoBlogs

    NicoBlogs GBAtemp Regular

    Member
    289
    89
    Apr 19, 2013
    United States
    USA
    it's back...can't seem to get rid of it. =/
     
    TeamScriptKiddies likes this.
  20. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,871
    9,782
    Nov 21, 2005
    United Kingdom
    Heh that must have been recent as I stumbled across this thread the other day.

    Anyway same setup. Domain privacy, couldflare hosted and mirroring/editing, though I did not seen an adfly link this time. No time or desire to do a full workup. If you want to speak to cloudflare again then by all means go for it.


    Code:
    ping gbatemp.gukovo.org
    PING gbatemp.gukovo.org (104.27.153.105) 56(84) bytes of data.
    64 bytes from 104.27.153.105: icmp_seq=1 ttl=57 time=7.13 ms
    64 bytes from 104.27.153.105: icmp_seq=2 ttl=57 time=7.49 ms
    ^C64 bytes from 104.27.153.105: icmp_seq=3 ttl=57 time=7.82 ms
    
    --- gbatemp.gukovo.org ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 10081ms
    rtt min/avg/max/mdev = 7.136/7.483/7.823/0.289 ms
    whois 104.27.153.105
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # http://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    
    
    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=104.27.153.105?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
    #
    
    NetRange:       104.16.0.0 - 104.31.255.255
    CIDR:           104.16.0.0/12
    NetName:        CLOUDFLARENET
    NetHandle:      NET-104-16-0-0-1
    Parent:         NET104 (NET-104-0-0-0-0)
    NetType:        Direct Assignment
    OriginAS:       AS13335
    Organization:   CloudFlare, Inc. (CLOUD14)
    RegDate:        2014-03-28
    Updated:        2015-10-01
    Comment:        https://www.cloudflare.com
    Ref:            http://whois.arin.net/rest/net/NET-104-16-0-0-1
    
    
    
    OrgName:        CloudFlare, Inc.
    OrgId:          CLOUD14
    Address:        101 Townsend Street
    City:           San Francisco
    StateProv:      CA
    PostalCode:     94107
    Country:        US
    RegDate:        2010-07-09
    Updated:        2015-10-08
    Comment:        http://www.cloudflare.com/
    Ref:            http://whois.arin.net/rest/org/CLOUD14
    
    
    OrgNOCHandle: NOC11962-ARIN
    OrgNOCName:   NOC
    OrgNOCPhone:  +1-650-319-8930 
    OrgNOCEmail:  noc@cloudflare.com
    OrgNOCRef:    http://whois.arin.net/rest/poc/NOC11962-ARIN
    
    OrgAbuseHandle: ABUSE2916-ARIN
    OrgAbuseName:   Abuse
    OrgAbusePhone:  +1-650-319-8930 
    OrgAbuseEmail:  abuse@cloudflare.com
    OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2916-ARIN
    
    OrgTechHandle: ADMIN2521-ARIN
    OrgTechName:   Admin
    OrgTechPhone:  +1-650-319-8930 
    OrgTechEmail:  admin@cloudflare.com
    OrgTechRef:    http://whois.arin.net/rest/poc/ADMIN2521-ARIN
    
    RTechHandle: ADMIN2521-ARIN
    RTechName:   Admin
    RTechPhone:  +1-650-319-8930 
    RTechEmail:  admin@cloudflare.com
    RTechRef:    http://whois.arin.net/rest/poc/ADMIN2521-ARIN
    
    RAbuseHandle: ABUSE2916-ARIN
    RAbuseName:   Abuse
    RAbusePhone:  +1-650-319-8930 
    RAbuseEmail:  abuse@cloudflare.com
    RAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2916-ARIN
    
    RNOCHandle: NOC11962-ARIN
    RNOCName:   NOC
    RNOCPhone:  +1-650-319-8930 
    RNOCEmail:  noc@cloudflare.com
    RNOCRef:    http://whois.arin.net/rest/poc/NOC11962-ARIN
    
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # http://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    
    
    whois gukovo.org
    Domain Name: GUKOVO.ORG
    Domain ID: D170153720-LROR
    WHOIS Server:
    Referral URL: http://www.PublicDomainRegistry.com
    Updated Date: 2015-12-18T15:17:29Z
    Creation Date: 2013-11-12T05:56:32Z
    Registry Expiry Date: 2016-11-12T05:56:32Z
    Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
    Sponsoring Registrar IANA ID: 303
    Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
    Registrant ID: PP-SP-001
    Registrant Name: Domain Admin
    Registrant Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
    Registrant Street: C/O ID#10760, PO Box 16
    Registrant Street: Note - Visit PrivacyProtect.org
    Registrant Street: to contact the domain owner/operator
    Registrant City: Nobby Beach
    Registrant State/Province: Queensland
    Registrant Postal Code: QLD 4218
    Registrant Country: AU
    Registrant Phone: +45.36946676
    Registrant Phone Ext:
    Registrant Fax:
    Registrant Fax Ext:
    Registrant Email: contact@privacyprotect.org
    Admin ID: PP-SP-001
    Admin Name: Domain Admin
    Admin Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
    Admin Street: C/O ID#10760, PO Box 16
    Admin Street: Note - Visit PrivacyProtect.org
    Admin Street: to contact the domain owner/operator
    Admin City: Nobby Beach
    Admin State/Province: Queensland
    Admin Postal Code: QLD 4218
    Admin Country: AU
    Admin Phone: +45.36946676
    Admin Phone Ext:
    Admin Fax:
    Admin Fax Ext:
    Admin Email: contact@privacyprotect.org
    Tech ID: PP-SP-001
    Tech Name: Domain Admin
    Tech Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
    Tech Street: C/O ID#10760, PO Box 16
    Tech Street: Note - Visit PrivacyProtect.org
    Tech Street: to contact the domain owner/operator
    Tech City: Nobby Beach
    Tech State/Province: Queensland
    Tech Postal Code: QLD 4218
    Tech Country: AU
    Tech Phone: +45.36946676
    Tech Phone Ext:
    Tech Fax:
    Tech Fax Ext:
    Tech Email: contact@privacyprotect.org
    Name Server: ANNA.NS.CLOUDFLARE.COM
    Name Server: JACK.NS.CLOUDFLARE.COM
    DNSSEC: unsigned
    >>> Last update of WHOIS database: 2016-01-23T10:32:04Z <<<
    
    "For more information on Whois status codes, please visit https://icann.org/epp"
    
    Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.
    
    
     
    TeamScriptKiddies likes this.