1. d0k3

    OP d0k3 3DS Homebrew Legend
    Member

    Joined:
    Dec 3, 2004
    Messages:
    2,782
    Country:
    Germany
    As the title says. I found this by accident via Google. Seems to be an exact mirror of GBAtemp.net. I was too scared (but still somewhat tempted) to use my login data to login there.

    Gukovo, btw, is a a town in Russia.
     
    Last edited by d0k3, Sep 16, 2015
  2. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    31,943
    Country:
    United Kingdom
    Yeah do not use your login data on clone sites. It is not a good plan.

    They appear to be on different IPs and looking at the source it looks like an odd mirror (the copy is missing various indentation and layout). The domain uses some kind of privacy blocking for whois requests (somewhere in Australia but mine are based in Canada so that means nothing)

    It could still be a mirror spammer that stepped out of a time machine from 2008 but I really did think most of those went away outside China. If I had to guess some web developer somewhere is having some fun with http://curl.haxx.se/ or something similar and used GBAtemp as a test site, though the adfly link in the source makes me wonder if it is not instead a kind of proxy/mirror type site to access things at work/school and maybe gain some monies along the way when shared with their mates. The IP I get from it traces back to cloudflare but such things are often free with basic hosting so I am not going to go too much further there. The domain itself also appears to be on email blacklists too. I am not invested enough in this to do the full hacker workup/analysis.
     
  3. d0k3

    OP d0k3 3DS Homebrew Legend
    Member

    Joined:
    Dec 3, 2004
    Messages:
    2,782
    Country:
    Germany
    Look at that - they even go the extra mile and replace all occurences of "gbatemp.net" with "gbatemp.gukovo.org":
    gbatemp.png

    On another note, our user accounts don't seem to work there. I entered my username with a wrong password and got the sign up form.
     
  4. Frederica Bernkastel

    Frederica Bernkastel GBAtemp Psycho!
    Member

    Joined:
    Jan 31, 2008
    Messages:
    3,171
    Country:
    Japan
    Looking at this site, it seems to be a caching proxy of some kind - I would assume Squid or Varnish - with some rewrite logic, hooked up directly to Cloudflare for obfuscating its origin. Making requests to its copy of the login page redirects to the Registration page which is indicative of it not actually making backend requests so I would assume that it's actually fairly harmless. Possibly a ploy to mess with SEO, or as FAST said someone trying to bypass a URL filter?
     
  5. Deleted User

    Deleted User Newbie

    They did the same with my site (nicoblog) i'm all ears on how to stop them.

    Edit: I've asked cloudflare for their real hosting.
     
  6. Blaze163

    Blaze163 The White Phoenix's purifying flame.
    Member

    Joined:
    Nov 19, 2008
    Messages:
    3,827
    Country:
    Just a cheap imitation. Doesn't even have an Evil Pikachu.
     
  7. Gukovo Sucks

    Gukovo Sucks Newbie
    Newcomer

    Joined:
    Sep 20, 2015
    Messages:
    1
    Country:
    Brazil
    If you find him using any ads on your mirrored site view the source code to find the ad code and then contact the ad networks he is using and this will prevent him from profiting off it. As for copying the site, not much we can do but report him to Google and his web host or you could also issue DMCA notices against his site as well. He is ripping off mostly gaming related sites and basically steals all their traffic and profits off it.
     
  8. Deleted User

    Deleted User Newbie

    Let me guess, they copied your site too?
     
  9. yodamerlin

    yodamerlin Bok bok.
    Member

    Joined:
    Apr 1, 2014
    Messages:
    322
    Country:
    United Kingdom
    Surly you could discover their IP since they have got your site. Just add some random file to the webserver, and access in through the proxy/whatever it is. Then check the logs on what accessed that file.
     
    Scott_pilgrim likes this.
  10. DarkFlare69

    DarkFlare69 GBAtemp Guru
    Member

    Joined:
    Dec 8, 2014
    Messages:
    5,135
    Country:
    United States
    You made an account here just to say they suck? xD
     
  11. HaloEffect17

    HaloEffect17 Hiya!
    Member

    Joined:
    Jul 1, 2015
    Messages:
    1,258
    Country:
    Canada
    I wouldn't trust that mirror site, exactly. :unsure:
     
    Scott_pilgrim likes this.
  12. osm70

    osm70 GBAtemp Maniac
    Member

    Joined:
    Apr 17, 2011
    Messages:
    1,195
    Country:
    Czech Republic
    My account doesn't work. Registration is broken and doesn't work.
    So, how is anyone supposed to do anything?
     
    Scott_pilgrim likes this.
  13. Depravo

    Depravo KALSARIKÄNNIT
    Former Staff

    Joined:
    Oct 13, 2008
    Messages:
    5,361
    Country:
    United Kingdom
    But now they have your password. I expect your account will be making posts about male enhancement pills any day now.
     
  14. osm70

    osm70 GBAtemp Maniac
    Member

    Joined:
    Apr 17, 2011
    Messages:
    1,195
    Country:
    Czech Republic
    I am not that stupid. Password can be changed.
     
  15. Deleted User

    Deleted User Newbie

    I've filled my complain to cloudflare and they forwarded it to their hosting.
    If GBATemp wants to fill a complain as well here is the info:

    Hosting Provider: INFERNO-NL-DE
    Abuse Contact: [email protected]
     
  16. Deleted User

    Deleted User Newbie

    Sorry for doublepost but i think it's important to announce they stopped doing it for both gbatemp and nicoblog! http://gbatemp.gukovo.org/ now redirects to other site. They are still doing it for other websites though.

    Seems solved!
     
  17. TeamScriptKiddies

    TeamScriptKiddies Licensed Nintendo (indie) Game Developer
    Member

    Joined:
    Apr 3, 2014
    Messages:
    1,970
    Country:
    United States
    Just assume its a phishing trap and move on.....
     
  18. gudenau

    gudenau Largely ignored
    Member

    Joined:
    Jul 7, 2010
    Messages:
    3,656
    Country:
    United States
    It does not exist for me.
     
  19. Deleted User

    Deleted User Newbie

    it's back...can't seem to get rid of it. =/
     
    TeamScriptKiddies likes this.
  20. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    31,943
    Country:
    United Kingdom
    Heh that must have been recent as I stumbled across this thread the other day.

    Anyway same setup. Domain privacy, couldflare hosted and mirroring/editing, though I did not seen an adfly link this time. No time or desire to do a full workup. If you want to speak to cloudflare again then by all means go for it.


    Code:
    ping gbatemp.gukovo.org
    PING gbatemp.gukovo.org (104.27.153.105) 56(84) bytes of data.
    64 bytes from 104.27.153.105: icmp_seq=1 ttl=57 time=7.13 ms
    64 bytes from 104.27.153.105: icmp_seq=2 ttl=57 time=7.49 ms
    ^C64 bytes from 104.27.153.105: icmp_seq=3 ttl=57 time=7.82 ms
    
    --- gbatemp.gukovo.org ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 10081ms
    rtt min/avg/max/mdev = 7.136/7.483/7.823/0.289 ms
    whois 104.27.153.105
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # http://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    
    
    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=104.27.153.105?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
    #
    
    NetRange:       104.16.0.0 - 104.31.255.255
    CIDR:           104.16.0.0/12
    NetName:        CLOUDFLARENET
    NetHandle:      NET-104-16-0-0-1
    Parent:         NET104 (NET-104-0-0-0-0)
    NetType:        Direct Assignment
    OriginAS:       AS13335
    Organization:   CloudFlare, Inc. (CLOUD14)
    RegDate:        2014-03-28
    Updated:        2015-10-01
    Comment:        https://www.cloudflare.com
    Ref:            http://whois.arin.net/rest/net/NET-104-16-0-0-1
    
    
    
    OrgName:        CloudFlare, Inc.
    OrgId:          CLOUD14
    Address:        101 Townsend Street
    City:           San Francisco
    StateProv:      CA
    PostalCode:     94107
    Country:        US
    RegDate:        2010-07-09
    Updated:        2015-10-08
    Comment:        http://www.cloudflare.com/
    Ref:            http://whois.arin.net/rest/org/CLOUD14
    
    
    OrgNOCHandle: NOC11962-ARIN
    OrgNOCName:   NOC
    OrgNOCPhone:  +1-650-319-8930 
    OrgNOCEmail:  [email protected]
    OrgNOCRef:    http://whois.arin.net/rest/poc/NOC11962-ARIN
    
    OrgAbuseHandle: ABUSE2916-ARIN
    OrgAbuseName:   Abuse
    OrgAbusePhone:  +1-650-319-8930 
    OrgAbuseEmail:  [email protected]
    OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2916-ARIN
    
    OrgTechHandle: ADMIN2521-ARIN
    OrgTechName:   Admin
    OrgTechPhone:  +1-650-319-8930 
    OrgTechEmail:  [email protected]
    OrgTechRef:    http://whois.arin.net/rest/poc/ADMIN2521-ARIN
    
    RTechHandle: ADMIN2521-ARIN
    RTechName:   Admin
    RTechPhone:  +1-650-319-8930 
    RTechEmail:  [email protected]
    RTechRef:    http://whois.arin.net/rest/poc/ADMIN2521-ARIN
    
    RAbuseHandle: ABUSE2916-ARIN
    RAbuseName:   Abuse
    RAbusePhone:  +1-650-319-8930 
    RAbuseEmail:  [email protected]
    RAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2916-ARIN
    
    RNOCHandle: NOC11962-ARIN
    RNOCName:   NOC
    RNOCPhone:  +1-650-319-8930 
    RNOCEmail:  [email protected]
    RNOCRef:    http://whois.arin.net/rest/poc/NOC11962-ARIN
    
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    # If you see inaccuracies in the results, please report at
    # http://www.arin.net/public/whoisinaccuracy/index.xhtml
    #
    
    
    whois gukovo.org
    Domain Name: GUKOVO.ORG
    Domain ID: D170153720-LROR
    WHOIS Server:
    Referral URL: http://www.PublicDomainRegistry.com
    Updated Date: 2015-12-18T15:17:29Z
    Creation Date: 2013-11-12T05:56:32Z
    Registry Expiry Date: 2016-11-12T05:56:32Z
    Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
    Sponsoring Registrar IANA ID: 303
    Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
    Registrant ID: PP-SP-001
    Registrant Name: Domain Admin
    Registrant Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
    Registrant Street: C/O ID#10760, PO Box 16
    Registrant Street: Note - Visit PrivacyProtect.org
    Registrant Street: to contact the domain owner/operator
    Registrant City: Nobby Beach
    Registrant State/Province: Queensland
    Registrant Postal Code: QLD 4218
    Registrant Country: AU
    Registrant Phone: +45.36946676
    Registrant Phone Ext:
    Registrant Fax:
    Registrant Fax Ext:
    Registrant Email: [email protected]
    Admin ID: PP-SP-001
    Admin Name: Domain Admin
    Admin Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
    Admin Street: C/O ID#10760, PO Box 16
    Admin Street: Note - Visit PrivacyProtect.org
    Admin Street: to contact the domain owner/operator
    Admin City: Nobby Beach
    Admin State/Province: Queensland
    Admin Postal Code: QLD 4218
    Admin Country: AU
    Admin Phone: +45.36946676
    Admin Phone Ext:
    Admin Fax:
    Admin Fax Ext:
    Admin Email: [email protected]
    Tech ID: PP-SP-001
    Tech Name: Domain Admin
    Tech Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
    Tech Street: C/O ID#10760, PO Box 16
    Tech Street: Note - Visit PrivacyProtect.org
    Tech Street: to contact the domain owner/operator
    Tech City: Nobby Beach
    Tech State/Province: Queensland
    Tech Postal Code: QLD 4218
    Tech Country: AU
    Tech Phone: +45.36946676
    Tech Phone Ext:
    Tech Fax:
    Tech Fax Ext:
    Tech Email: [email protected]
    Name Server: ANNA.NS.CLOUDFLARE.COM
    Name Server: JACK.NS.CLOUDFLARE.COM
    DNSSEC: unsigned
    >>> Last update of WHOIS database: 2016-01-23T10:32:04Z <<<
    
    "For more information on Whois status codes, please visit https://icann.org/epp"
    
    Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.
    
    
     
    TeamScriptKiddies likes this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - gbatemp, gukovo,