1. osirisjem

    osirisjem Wii U: Y U No Sell ?
    Member

    Joined:
    Jun 19, 2011
    Messages:
    1,105
    Country:
    Canada
  2. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    32,338
    Country:
    United Kingdom
    RSS is slower than instant. This is more likely some kind of fetch and rewrite or caching service/reverse proxy twisted in with something that can alter it (rewrite if you want to use a more common term).

    Way back when one might have used something like
    http://curl.haxx.se/

    Today the caching stuff is probably the better method. The two Fredrica Bernkastel mentioned are the bigger names in it
    http://www.squid-cache.org/
    https://www.varnish-cache.org/about

    I have been trying to think of a test I could do as I can write HTML here to have some fun ( http://www.cracked.com/blog/this-is-why-you-dont-steal-from-cracked/ ) or possibly leak some info but I am far too lazy/ignorant and actually it is probably going to be reasonably hard (most people that cache own the site being cached so security is not the highest but at the same time it is still a concern).
     
  3. Deleted User

    Deleted User Newbie

  4. notimp

    notimp Well-Known Member
    Member

    Joined:
    Sep 18, 2007
    Messages:
    5,370
    Country:
    Laos
    Which also is highly ranked on google on some common search terms?

    Ehm?

    Only realized it, when I went to login to this site - and my login didn't work.

    Guess its time to change my password...

    Does anyone have any idea what gave us the honors of existing twice on the web as of now? Also - admins didn't notice that the entire database gets scraped, almost in realtime?

    Of course this is the wrong forum for it, but any reactions would be nice.

    Whois is privacy protected:
    https://www.whois.com/whois/kem-inc.org
     
    Last edited by notimp, Apr 22, 2018
  5. notimp

    notimp Well-Known Member
    Member

    Joined:
    Sep 18, 2007
    Messages:
    5,370
    Country:
    Laos
    Thank you for moving it to the "correct forum". Where almost no one will see it. ;)

    A comment on if this is indeed a phishing site from the perspective of this sites admins would be welcome.

    (When this thread was moved this was mirrored on kem-inc.com/forum almost immediately. Direct database access?)
    -

    According to web-archive.org the domain went live in June of 2017, then delivered 403s up until the 23th of march last month, which was the last time web-archive.org scraped them. Between then and now the site started to host gbatemp content (seemingly in realtime) - and also got into the google cache.

    Here are the three available (older) snapshots:

    https://web.archive.org/web/20170626081117/http://kem-inc.com/
    https://web.archive.org/web/20170928185940/http://kem-inc.com/
    https://web.archive.org/web/20180323173616/http://kem-inc.com/

    For google cache entries of this happening, just search for site:kem-inc.com on google - in case the sites behavior suddenly changes.
     
    Last edited by notimp, Apr 22, 2018
    KiiWii likes this.
  6. Tom Bombadildo

    Tom Bombadildo Dick, With Balls
    Reviewer

    Joined:
    Jul 11, 2009
    Messages:
    13,733
    Country:
    United States
    First of all, this section is reviewed by nearly all the staff when they're active, so people will "see it".

    Secondly, it's more than likely this is just a proxy page for use in places GBATemp might be blocked (ie. schools). These pages have come up occasionally, and usually don't last more than a few months at best. Whether it's a phishing site or not I couldn't say, but I doubt it is since most people with an account already here are generally aware of the correct URL when visiting, or searching, GBATemp.
     
  7. notimp

    notimp Well-Known Member
    Member

    Joined:
    Sep 18, 2007
    Messages:
    5,370
    Country:
    Laos
    Not sufficient. School proxies dont tend to copy entire databases.

    Also proxies dont tend to mimic sites entirely - because that behavior represents more than a proxy.

    A comment from anyone more involved would still be appreciated. This is a breach of trust, not a "service given for 12 year olds".

    This could be anything from an attempt to cover up a data breach, to a very, very, very unfortunate mishap in configuring a non public backup domain. (Under the name kem-inc.com ? )

    "Those sites usually don't last long." is an interesting comment as well - as in general you have no control over the behavior of whoever is hosting the phishing site. As long as google/the registrar doesn't block them, because they are being reported, NOTHING happens to clone/mirror sites in general.

    So if anyone is willing to come up with a response that actually passes the "I'm older than 5 years old, and have an Idea how the internet works" test - please voice your thoughts.

    In the meantime, where do I get full database access to gbatemp to host my own mirror of this site under a different domain? For school proxy purposes - of course...

    edit:

    Here are some sourcecode snippets to show that .js gets loaded directly from their domain:
    https://imgur.com/a/dbheXyz

    This is not a proxy.
     
    Last edited by notimp, Apr 22, 2018
  8. Costello

    Costello Headmaster
    Administrator

    Joined:
    Oct 24, 2002
    Messages:
    13,724
    you are making no sense and obviously dont know what a proxy is.

    1) what would be the point in doing phishing if, according to you, they had a copy of the entire database and source code ? they would already have everyone’s password hashes and the means to log in

    2) what’s the first thing a hacker does when they hack a site? re-host the site under a different domain? how does that make any sense? why not post all the juicy admin threads or PMs somewhere to show off?

    3) you are talking about copies of the database yet you say this is a near real time mirror. so what’s your theory ? they are copying our database every couple of minutes ?

    this looks like a simple proxy/mirror with cache (which is why you dont get instant updates) likely set up by someone whose motives are:
    - bypassing a firewall or other blocking devices
    - someone who needs HTTP access (we enforced HTTPS recently)
    - or someone who actually is doing phishing.
    - or someone trying to build up a well-ranked site on search engines to set up high value keywords

    now if you have any additional information please share it with me privately but dont try spreading some kind of panic based on nonsensical conclusions.
    try sites like kproxy.com and others, you’ll see they work just the same.

    and should there be any breach we would of course provide detailed information as we did 7-8 years ago when we got hacked. Full transparency, period.
     
    Last edited by Costello, Apr 22, 2018
  9. xkrazykidx

    xkrazykidx Member
    Newcomer

    Joined:
    Oct 21, 2009
    Messages:
    27
    Country:
    United States
    I did a couple searches and did not see this posted anywhere and I apologize if it has been discussed prior but was doing a google search for something switch related (fusee-launcher.py error) and noticed a couple GBATemp links with the incorrect url. Just wanted to warn others who may not even take that extra second to look at the url and may only read the thread titles.
     

    Attached Files:

    AlanJohn and Seriel like this.
  10. Seriel

    Seriel Doing her best
    Member

    Joined:
    Aug 18, 2015
    Messages:
    3,167
    Country:
    United Kingdom
    Yeah there are a few of these mirror sites around, they're probably just a simple reverse proxy setup to monitor communication and potentially steal passwords if you login.
    I wonder if it's possible for GBAtemp's code to check that it's on the right domain before displaying any pages.
    In any case, it goes without saying but double-check the address bar says https://gbatemp.net/ before logging in here.
     
  11. Uiaad

    Uiaad GBAtemp's resident guinea pig
    Member

    Joined:
    Dec 23, 2008
    Messages:
    517
    Country:
    United Kingdom
    I discussed this with @Costello about a week and also did some investigating afterwards. This is not the only one out there doing this and is nothing to worry about. That one particular i can guarantee is not collecting any data and is just a domain pointing at the GBATemp servers
     
    Seriel likes this.
  12. Seriel

    Seriel Doing her best
    Member

    Joined:
    Aug 18, 2015
    Messages:
    3,167
    Country:
    United Kingdom
    While they could just be a CNAME routing to gbatemp.net domain (Which is fine), whats to say some of them aren't an actual proxy which monitors all communication?
     
  13. Uiaad

    Uiaad GBAtemp's resident guinea pig
    Member

    Joined:
    Dec 23, 2008
    Messages:
    517
    Country:
    United Kingdom
    There is always that possibility that could happen but to be effective they would also need to get a pretty high ranking on search engines. When i found that particular domain i was on page 3 or 4 googling my username which is not common
     
    Seriel likes this.
  14. hippy dave

    hippy dave BBMB
    Member

    Joined:
    Apr 30, 2012
    Messages:
    6,173
    Country:
    United Kingdom
    taraftartekstil dot com, what's that all about? BTW I wouldn't put your login details in there unless staff confirms it's a legit mirror or something.
     
  15. Dionicio3

    Dionicio3 The Skiddo
    Member

    Joined:
    Feb 26, 2017
    Messages:
    3,777
    Country:
    United States
    It isn't, just ignore these mirrors, a ton of them appear
     
    Subtle Demise likes this.
  16. hippy dave

    hippy dave BBMB
    Member

    Joined:
    Apr 30, 2012
    Messages:
    6,173
    Country:
    United Kingdom
    Ok weird, thanks for the info.
     
  17. HamBone41801

    HamBone41801 Vipera’s Alt
    Member

    Joined:
    Jan 16, 2017
    Messages:
    1,083
    Country:
    United States
    there is another one that pops up for me. starts with a c or a k. cant remember.
     
  18. FAST6191

    FAST6191 Techromancer
    Reporter

    Joined:
    Nov 21, 2005
    Messages:
    32,338
    Country:
    United Kingdom
    As mentioned various people mirror the site at times, here is one from 2015
    https://gbatemp.net/threads/what-is-this-http-gbatemp-gukovo-org.397344/

    For giggles I grabbed both and did a diff. Rewrote the relevant URLs, removed the https from various links (including from things like facebook) and then added a yadro.ru script to the bottom of the page (technically I think it is an advertising service, however it is dodgy even by Russian standards).
    Reasons for it all vary but yeah sound policy is never put your details into something like that. As usual it is stuck behind a cloudflare privacy shield thing.
     
    Subtle Demise likes this.
  19. Costello

    Costello Headmaster
    Administrator

    Joined:
    Oct 24, 2002
    Messages:
    13,724
    zxr750j, Subtle Demise and hippy dave like this.
  20. Costello

    Costello Headmaster
    Administrator

    Joined:
    Oct 24, 2002
    Messages:
    13,724
    EDIT: all similar threads have been merged into one

    I have inspected the logs and determined that these are simple proxies. I will be banning the IPs of these proxies from now on.
    I've searched this forum to look for all reports of illegal proxies and banned all the proxies I could find.

    please report here if you see any new illegal proxy
     
    Last edited by Costello, Jun 7, 2018
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - gbatemp, gukovo,