Question What is this? http://gbatemp.gukovo.org/

I tested a new post here .... and how long it takes to show up on that site.

https://gbatemp.net/threads/testing-guk-ovo.412705/

Instantaneous !

I think it works via RSS feeds ?

 

RSS is slower than instant. This is more likely some kind of fetch and rewrite or caching service/reverse proxy twisted in with something that can alter it (rewrite if you want to use a more common term).

Way back when one might have used something like
http://curl.haxx.se/

Today the caching stuff is probably the better method. The two Fredrica Bernkastel mentioned are the bigger names in it
http://www.squid-cache.org/
https://www.varnish-cache.org/about

I have been trying to think of a test I could do as I can write HTML here to have some fun ( http://www.cracked.com/blog/this-is-why-you-dont-steal-from-cracked/ ) or possibly leak some info but I am far too lazy/ignorant and actually it is probably going to be reasonably hard (most people that cache own the site being cached so security is not the highest but at the same time it is still a concern).

 

Seems gone again, i hope this time for good. Either they or google decided to remove every url indexed something i'm super glad to see:
https://www.google.com/#q=site:gukovo.org

 

Which also is highly ranked on google on some common search terms?

Ehm?

Only realized it, when I went to login to this site - and my login didn't work.

Guess its time to change my password...

Does anyone have any idea what gave us the honors of existing twice on the web as of now? Also - admins didn't notice that the entire database gets scraped, almost in realtime?

Of course this is the wrong forum for it, but any reactions would be nice.

Whois is privacy protected:
https://www.whois.com/whois/kem-inc.org

 

Thank you for moving it to the "correct forum". Where almost no one will see it.

A comment on if this is indeed a phishing site from the perspective of this sites admins would be welcome.

(When this thread was moved this was mirrored on kem-inc.com/forum almost immediately. Direct database access?)
-

According to web-archive.org the domain went live in June of 2017, then delivered 403s up until the 23th of march last month, which was the last time web-archive.org scraped them. Between then and now the site started to host gbatemp content (seemingly in realtime) - and also got into the google cache.

Here are the three available (older) snapshots:

https://web.archive.org/web/20170626081117/http://kem-inc.com/
https://web.archive.org/web/20170928185940/http://kem-inc.com/
https://web.archive.org/web/20180323173616/http://kem-inc.com/

For google cache entries of this happening, just search for site:kem-inc.com on google - in case the sites behavior suddenly changes.

 

First of all, this section is reviewed by nearly all the staff when they're active, so people will "see it".

Secondly, it's more than likely this is just a proxy page for use in places GBATemp might be blocked (ie. schools). These pages have come up occasionally, and usually don't last more than a few months at best. Whether it's a phishing site or not I couldn't say, but I doubt it is since most people with an account already here are generally aware of the correct URL when visiting, or searching, GBATemp.

 

Not sufficient. School proxies dont tend to copy entire databases.

Also proxies dont tend to mimic sites entirely - because that behavior represents more than a proxy.

A comment from anyone more involved would still be appreciated. This is a breach of trust, not a "service given for 12 year olds".

This could be anything from an attempt to cover up a data breach, to a very, very, very unfortunate mishap in configuring a non public backup domain. (Under the name kem-inc.com ? )

"Those sites usually don't last long." is an interesting comment as well - as in general you have no control over the behavior of whoever is hosting the phishing site. As long as google/the registrar doesn't block them, because they are being reported, NOTHING happens to clone/mirror sites in general.

So if anyone is willing to come up with a response that actually passes the "I'm older than 5 years old, and have an Idea how the internet works" test - please voice your thoughts.

In the meantime, where do I get full database access to gbatemp to host my own mirror of this site under a different domain? For school proxy purposes - of course...

edit:

Here are some sourcecode snippets to show that .js gets loaded directly from their domain:
https://imgur.com/a/dbheXyz

This is not a proxy.

 

I did a couple searches and did not see this posted anywhere and I apologize if it has been discussed prior but was doing a google search for something switch related (fusee-launcher.py error) and noticed a couple GBATemp links with the incorrect url. Just wanted to warn others who may not even take that extra second to look at the url and may only read the thread titles.

 

Yeah there are a few of these mirror sites around, they're probably just a simple reverse proxy setup to monitor communication and potentially steal passwords if you login.
I wonder if it's possible for GBAtemp's code to check that it's on the right domain before displaying any pages.
In any case, it goes without saying but double-check the address bar says https://gbatemp.net/ before logging in here.

 

I discussed this with @Costello about a week and also did some investigating afterwards. This is not the only one out there doing this and is nothing to worry about. That one particular i can guarantee is not collecting any data and is just a domain pointing at the GBATemp servers

 

While they could just be a CNAME routing to gbatemp.net domain (Which is fine), whats to say some of them aren't an actual proxy which monitors all communication?

 

There is always that possibility that could happen but to be effective they would also need to get a pretty high ranking on search engines. When i found that particular domain i was on page 3 or 4 googling my username which is not common

 

taraftartekstil dot com, what's that all about? BTW I wouldn't put your login details in there unless staff confirms it's a legit mirror or something.

 

It isn't, just ignore these mirrors, a ton of them appear

 

Ok weird, thanks for the info.

 

there is another one that pops up for me. starts with a c or a k. cant remember.

 

As mentioned various people mirror the site at times, here is one from 2015
https://gbatemp.net/threads/what-is-this-http-gbatemp-gukovo-org.397344/

For giggles I grabbed both and did a diff. Rewrote the relevant URLs, removed the https from various links (including from things like facebook) and then added a yadro.ru script to the bottom of the page (technically I think it is an advertising service, however it is dodgy even by Russian standards).
Reasons for it all vary but yeah sound policy is never put your details into something like that. As usual it is stuck behind a cloudflare privacy shield thing.