Welcome to the GoFuckYourself.com - Adult Webmaster Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact us.

Post New Thread Reply

Register GFY Rules Calendar Mark Forums Read
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >
Discuss what's fucking going on, and which programs are best and worst. One-time "program" announcements from "established" webmasters are allowed.

 
Thread Tools
Old 09-12-2017, 08:50 AM   #1
k0nr4d
Confirmed User
 
k0nr4d's Avatar
 
Industry Role:
Join Date: Aug 2006
Location: Poland
Posts: 9,157
Website cloning via proxy

The topic of website cloning has been coming up lately. I've figured out how people are doing it. This is in regards to the complete clone domains, not sites that have your site mirrored in a directory somewhere. There might be more ways to do this, this is what i've encountered though.

There are two variants, first via cloudflare:
1) Your website is added by someone to cloudflare, presumably as a cname - or possibly cnaming a domain that's not on cloudflare that has your domain as a cname.
2) They add the "Add Content" or Add HTML" App within cloudflare, which allows them to append content to your html on all pages.
3) There is another app somewhere in cloudflare that lets you replace words. So in this case, they were replacing clientsdomain.com with clonedomain.com. This really did my head in - $_SERVER['HTTP_HOST'] was returning clonedomain.com. In reality, the script was returning clientsdomain.com and replacing the word "clientsdomain.com" with "clonedomain.com". Literally, you could "clientsdomain.com into a text file, request it via the other domain and it outputted as "clonedomain.com"
4) The replacing of the domain I cannot figure out yet. I don't know how this is done, I can't find any cloudflare app that lets me do this but I suspect it's maybe done using JS somehow in that Add HTML App.

the second method is via nginx/varnish and THEN cloudflare in which case they do the find/replace and content adding via their server and then pass it along to cloudflare. In this case it may be possible to honeypot the proxy server by placing a new file, hitting it via the proxy domain and seeing what ip comes up in your server logs.

The only way I can think of bypassing this, is by doing javascript like this:

Code:
<script>
if(window.location.href.indexOf("yourd"+"omain.com") < 0) {
       window.location("http://yourd"+"omain.com"); 
}
</script>
or by completely shit-listing the cloudflare IPs on your server (in which case you won't be able to use cloudflare yourself):
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/12
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
173.245.48.0/20
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17

Hope this helps someone
k0nr4d is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 09:33 AM   #2
Adraco
Confirmed User
 
Adraco's Avatar
 
Industry Role:
Join Date: May 2009
Location: Onboard an airplane around the globe
Posts: 3,707
Very nice explanation and most impressed by your level of knowledge to be able to figure this way out! Thanks for posting this Konrad!
__________________
----------------------------------------------------------------------------------
The truth is not affected by the beliefs, or doubts, of the majority.
Adraco is online now   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 10:12 AM   #3
sarettah
l8r
 
Industry Role:
Join Date: Oct 2002
Posts: 13,440
Good post K0nr4d, excellent break down of what it is.

Thanks

.
sarettah is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 10:18 AM   #4
bns666
Confirmed Fetishist
 
bns666's Avatar
 
Industry Role:
Join Date: Mar 2005
Location: Fetishland
Posts: 11,471
cool, thanx
__________________
CAM SODASTRIPCHAT
CHATURBATESKYPE SEX CAMS
bns666 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 10:23 AM   #5
Barry-xlovecam
It's 42
 
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
Thats what I was thinking their method was 'like'
Blocking Cloudflare IPs on servers EXCEPT where specifically needed is a good idea.

SAMEORIGIN would not help in this scenario.

Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations.

Thanks for looking into this Konrad.

BTW a 302 -301 domain redirection will work -- maybe even a page redirection -- this is working for lifeselector -- planed or not.
Barry-xlovecam is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 10:27 AM   #6
k0nr4d
Confirmed User
 
k0nr4d's Avatar
 
Industry Role:
Join Date: Aug 2006
Location: Poland
Posts: 9,157
Quote:
Originally Posted by Barry-xlovecam View Post
Thats what I was thinking their method was 'like'
Blocking Cloudflare IPs on servers EXCEPT where specifically needed is a good idea.

SAMEORIGIN would not help in this scenario.

Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations.

Thanks for looking into this Konrad.

BTW a 302 -301 domain redirection will work -- maybe even a page redirection -- this is working for lifeselector -- planed or not.
Redirect won't work because from the proxies end the domain is correct. They are requesting domain1.com and reserving it as domain2.com. Only a redirect via JS like I wrote works, and you have to split the string into two so it doesn't get text-replaced.
k0nr4d is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 10:35 AM   #7
sarettah
l8r
 
Industry Role:
Join Date: Oct 2002
Posts: 13,440
Quote:
Originally Posted by k0nr4d View Post
Redirect won't work because from the proxies end the domain is correct. They are requesting domain1.com and reserving it as domain2.com. Only a redirect via JS like I wrote works, and you have to split the string into two so it doesn't get text-replaced.
You could probably make the domain base64 encoded instead of just splitting it, or base64 it and split it into multiple parts maybe. The more obfuscation the better.

.
sarettah is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 10:36 AM   #8
sarettah
l8r
 
Industry Role:
Join Date: Oct 2002
Posts: 13,440
Quote:
Originally Posted by Barry-xlovecam View Post
Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations.
Yeah, I would think that cloudflare would probably block something like this if they knew about it.

.
sarettah is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 10:38 AM   #9
Barry-xlovecam
It's 42
 
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
Do that lifeselector link on that page and look at the headers. Fluke maybe but it goes to a password protected page

The clone renders a blank page for affiliates.lifeselector and the password page is on another subdomain name 'assist'. The wrong CNAME maybe?

The problem is scumbags using Cloudlare for bad purposes. If Cloudflare does not clean up their act the USDOJ will eventually. I am not asserting any complicity on Cloudflare's part but if they abandoned their free service and made it a 30 trial with a low cost for small users -- then the scumbags would not use it because payment data is traceable and can be subpoenaed.
Barry-xlovecam is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 10:39 AM   #10
k0nr4d
Confirmed User
 
k0nr4d's Avatar
 
Industry Role:
Join Date: Aug 2006
Location: Poland
Posts: 9,157
Quote:
Originally Posted by sarettah View Post
You could probably make the domain base64 encoded instead of just splitting it, or base64 it and split it into multiple parts maybe. The more obfuscation the better.

.
Yeah you could go much further with this, and run the whole js through one of those obfuscators to hide it as well, or even randomize it so it's
d+omain
do+main
dom+ain
dom+a+in
and so forth to prevent someone doing find/replace on the JS itself too.
k0nr4d is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 11:00 AM   #11
Barry-xlovecam
It's 42
 
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
In this case the framing is not malicious notwithstanding the SEO imprecations.
so use an obfuscated canonical tag rel=canonical to identify were the REAL site/domain is

Every site stealing SERPs I checked for xlovecam was using Cloudflare to obscure their host server. Every 'claimed' free password site or free tokens or credits site/domain was trying to hide behind Cloudflare. If it was to big of a problem, and worth the expense, we could sue the domain owners and subpoena Cloudflare.

I have absolutely no problem with servers using Cloudflare for its intended purpose -- mitigating ddos attacks and security filtering.
Barry-xlovecam is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 11:04 AM   #12
mikeworks
Confirmed User
 
Join Date: Apr 2010
Posts: 272
Thanks Konrad for sharing your information.

It's probably one of the biggest problems at the moment. I disavow them, but they must obviously still benefit from google and/or harm original site.
mikeworks is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 11:07 AM   #13
k0nr4d
Confirmed User
 
k0nr4d's Avatar
 
Industry Role:
Join Date: Aug 2006
Location: Poland
Posts: 9,157
Quote:
Originally Posted by Barry-xlovecam View Post
In this case the framing is not malicious notwithstanding the SEO imprecations.
so use an obfuscated canonical tag rel=canonical to identify were the REAL site/domain is

Every site stealing SERPs I checked for xlovecam was using Cloudflare to obscure their host server. Every 'claimed' free password site or free tokens or credits site/domain was trying to hide behind Cloudflare. If it was to big of a problem, and worth the expense, we could sue the domain owners and subpoena Cloudflare.

I have absolutely no problem with servers using Cloudflare for its intended purpose -- mitigating ddos attacks and security filtering.
How exactly does an obfuscated canonicle tag look like? I've never seen or heard of that
k0nr4d is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 11:44 AM   #14
Barry-xlovecam
It's 42
 
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
Pretty much everyone agrees now that search engines CAN read JavaScript.

Code:
<script language="javascript">
<!--
// == Begin Free HTML Source Code Obfuscation Protection from http://snapbuilder.com == //
document.write(unescape('%3C%6C%69%6E%6B%20%72%65%6C%3D%22%63%61%6E%6F%6E%69%63%61%6C%22%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%65%78%61%6D%70%6C%65%2E%63%6F%6D%2F%77%6F%72%64%70%72%65%73%73%2F%73%65%6F%2D%70%6C%75%67%69%6E%2F%22%3E'));
//-->
</script>
Assuming you are right that text substitution is being used -- how are you going to read and substitute this? If you are a secret-agent you could grep and decode somehow i suppose -- what does this say -- just run the code in phantomjs. That is the way i might scrape the page. if you broke the JS code with + maybe it might fool the substitution but if you really want to get down to it

echo or cat (<input>)|sed 's/\n//g' then ....

Code:
echo '<script>if(window.location.href.indexOf("yourd"+"omain.com") < 0) {       window.location("http://yourd"+"omain.com"); }</script>'
|egrep  -o ".{0,20}\(window\.location\.href.{0,20}"
|sed 's/window/you are fucked now/g'
<script>if(you are fucked now.location.href.indexOf("yourd"+"om
fuckup the frame breaker JS

Sure as fuck won't hurt to try rel=canonical .
Barry-xlovecam is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 04:07 PM   #15
Bladewire
StraightBro
 
Bladewire's Avatar
 
Industry Role:
Join Date: Aug 2003
Location: Monarch Beach, CA USA
Posts: 56,232
Excellent info thanks!
Bladewire is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 04:35 PM   #16
Smut-Talk
I talk smut
 
Industry Role:
Join Date: Jul 2016
Location: Somewhere on the webz
Posts: 176
Nice info for sure...


On the defensive of your site:

You can do a lot with htaccess.
FI: I use htaccess to stop hotlinking, put a redirect to a goatsie in it...

Barry, as promised on icq:

to "help" with scriptkiddies with scanning, i came across this:

!you can ZIP bomb a vuln scanner!

ZIP compression is really good with repetitive data so if you have a really huge text file which consists of repetitive data like all zeroes, it will compress it really good.
It can compress a 4.5 peta byte (4.500.000 giga bytes) file down to 42 kilo bytes.

When a browser/scanner extracts or decompresses the content it will most likely run out of disk space or RAM.

So firstly create a 10 giga byte GZIP file, or bigger, filled with zeroes.
And secondly a PHP script that will deliver it to a client.

Code:
<?php
$agent = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT');

//check for nikto, sql map or "bad" subfolders which only exist on wordpress
if (strpos($agent, 'nikto') !== false || strpos($agent, 'sqlmap') !== false || startswith($url,'wp-') || startswith($url,'wordpress') || startswith($url,'wp/'))
{
      sendBomb();
      exit();
}

function sendBomb(){
        //prepare the client to recieve GZIP data. This will not be suspicious
        //since most web servers use GZIP by default
        header("Content-Encoding: gzip");
        header("Content-Length: ".filesize('10G.gzip'));
        //Turn off output buffering
        if (ob_get_level()) ob_end_clean();
        //send the gzipped file to the client
        readfile('10G.gzip');
}

function startsWith($a, $b) { 
    return strpos($a, $b) === 0;
}
source: https://blog.haschek.at/post/f2fda
__________________
This is my awesome signature!
if you really have to, you can use: smuttalk-that apple thingy-websmut.com
Don't forget to mention GFY in the subject!
Smut-Talk is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 05:06 PM   #17
Barry-xlovecam
It's 42
 
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
Code:
root@ds12-ams-2gb:~# whois odir.us
Domain Name:                                 ODIR.US
Domain ID:                                   D29663821-US
Sponsoring Registrar:                        UNITED-DOMAINS AG
Sponsoring Registrar IANA ID:                1408
Registrar URL (registration services):       www.united-domains.de
Domain Status:                               clientTransferProhibited
Registrant ID:                               C-SM7006B-QVRDOB
Registrant Name:                             Stefan Mayr
Registrant Address1:                         Mondscheingasse 6
Registrant City:                             Graz
Registrant Postal Code:                      8010
Registrant Country:                          Austria
Registrant Country Code:                     AT
Registrant Phone Number:                     +43.69910780807
Registrant Email:                            [email protected]
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C31/AT
Administrative Contact ID:                   C-SM7006B-MIXAPZ
Administrative Contact Name:                 Stefan Mayr
Administrative Contact Address1:             Mondscheingasse 6
Administrative Contact City:                 Graz
Administrative Contact Postal Code:          8010
Administrative Contact Country:              Austria
Administrative Contact Country Code:         AT
Administrative Contact Phone Number:         +43.69910780807
Administrative Contact Email:                [email protected]
Administrative Application Purpose:          P1
Administrative Nexus Category:               C31/AT
Billing Contact ID:                          C-UHM65D7-HTWJET
Billing Contact Name:                        Host Master
Billing Contact Organization:                united-domains AG
Billing Contact Address1:                    Gautinger Str. 10
Billing Contact City:                        Starnberg
Billing Contact State/Province:              Bayern
Billing Contact Postal Code:                 82319
Billing Contact Country:                     Germany
Billing Contact Country Code:                DE
Billing Contact Phone Number:                +49.8151368670
Billing Contact Facsimile Number:            +49.81513686777
Billing Contact Email:                       [email protected]
Billing Application Purpose:                 P1
Billing Nexus Category:                      C31/AT
Technical Contact ID:                        C-UHM65D7-OYNZFB
Technical Contact Name:                      Host Master
Technical Contact Organization:              united-domains AG
Technical Contact Address1:                  Gautinger Str. 10
Technical Contact City:                      Starnberg
Technical Contact State/Province:            Bayern
Technical Contact Postal Code:               82319
Technical Contact Country:                   Germany
Technical Contact Country Code:              DE
Technical Contact Phone Number:              +49.8151368670
Technical Contact Facsimile Number:          +49.81513686777
Technical Contact Email:                     [email protected]
Technical Application Purpose:               P1
Technical Nexus Category:                    C31/AT
Name Server:                                 EMMA.NS.CLOUDFLARE.COM
Name Server:                                 IVAN.NS.CLOUDFLARE.COM
Created by Registrar:                        PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Last Updated by Registrar:                   UNITED-DOMAINS AG
Last Transferred Date:                       Sun Apr 16 16:06:24 GMT 2017
Domain Registration Date:                    Thu Sep 16 04:52:42 GMT 2010
Domain Expiration Date:                      Sat Sep 15 23:59:59 GMT 2018
Domain Last Updated Date:                    Mon Apr 17 06:01:29 GMT 2017
DNSSEC:                                      false
Enough of this shit

Complain to the registry to yank his ticket.

usTLD Nexus Requirements Policy for Registrants| About.US - About.US


Quote:
usTLD Nexus
Requirements Policy

Registrants in the usTLD must be either:

1.A natural person (i) who is a United States citizen, (ii) who is a permanent resident of the United States of America or any of its possessions or territories, or (iii) whose primary place of domicile is in the United States of America or any of its possessions [Nexus Category 1],

2.A United States entity or organization that is (i) incorporated within one of the fifty (50) U.S. states, the District of Columbia, or any of the United States possessions or territories, or (ii) organized or otherwise constituted under the laws of a state of the United States of America, the District of Columbia or any of its possessions or territories (including a federal, state, or local government of the United States or a political subdivision thereof, and non-commercial organizations based in the United States) [Nexus Category 2], or

3.A foreign entity or organization that has a bona fide presence in the United States of America or any of its possessions or territories [Nexus Category 3].
Normally if it was a domain innocent of any real wrongdoing I would just leave this be -- but under these circumstances -- he can go fuck himself -- next move is yours ...
Barry-xlovecam is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-12-2017, 05:16 PM   #18
CaptainHowdy
Too lazy to set a custom title
 
CaptainHowdy's Avatar
 
Industry Role:
Join Date: Dec 2004
Location: Happy in the dark.
Posts: 91,322
All hail k0nr4d ...
__________________
Get Your Free Backlinks Today 127 URLs to pick from - Go To The Thread here!
Join the SWAG Affiliate Asian Live Cam Program Non-Saturated Models and Exclusive Content.
CaptainHowdy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-13-2017, 04:14 AM   #19
Craft
Confirmed User
 
Industry Role:
Join Date: Oct 2015
Posts: 169
Anyone knows how to check if your site is cloned ?
Craft is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-13-2017, 04:44 AM   #20
Paul&John
Confirmed User
 
Paul&John's Avatar
 
Industry Role:
Join Date: Aug 2005
Location: YUROP
Posts: 8,497
Nice info k0nr4d!
__________________
Use coupon 'pauljohn' for a $1 discount at already super cheap NameSilo!
Anal Webcams | Kinky Trans Cams Live | Hotwife XXX Tube | Get your Proxies here
Paul&John is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-13-2017, 06:10 AM   #21
CaptainHowdy
Too lazy to set a custom title
 
CaptainHowdy's Avatar
 
Industry Role:
Join Date: Dec 2004
Location: Happy in the dark.
Posts: 91,322
Bump for a great thread ...
__________________
Get Your Free Backlinks Today 127 URLs to pick from - Go To The Thread here!
Join the SWAG Affiliate Asian Live Cam Program Non-Saturated Models and Exclusive Content.
CaptainHowdy is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-13-2017, 09:50 AM   #22
mikeworks
Confirmed User
 
Join Date: Apr 2010
Posts: 272
Quote:
Originally Posted by Craft View Post
Anyone knows how to check if your site is cloned ?
Check webmaster tools for backlinks from a cloned domain.
mikeworks is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-13-2017, 10:19 AM   #23
RazorSharpe
Confirmed User
 
RazorSharpe's Avatar
 
Industry Role:
Join Date: Aug 2001
Location: Scotland
Posts: 2,237
Have a very similar issue.

This is the offender's site: (google cache version)
https://webcache.googleusercontent.c...&ct=clnk&gl=uk

This is mine:
https://www.projectvoyeur.com

He has cloned over 100K pages on my site and counting. I contacted cloudflare who responded with their party line about not being the host so I was dead in the water.

Previously, when contacting google (DMCA), they have taken action on sites like this. This time however, they did pretty much nothing. The fact that this person is cloning my site and then serving cloaked pages (which is why I showed the cached version above), didn't seem to bother the folk at Google at all.

So I kinda figured I was stuck with this.
__________________
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.
RazorSharpe is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-13-2017, 09:01 PM   #24
TrafficTitan
Confirmed User
 
Industry Role:
Join Date: Nov 2012
Posts: 346
Google is too dumb to understand their cloaking. DMCA sometimes work but not always.

Can you DMCA an entire domain?
Does anybody have a good standardized message to send to google that works?

Has anybody come up with a rock solid way to stop them? I've already implemented banning all cloudflare IPs. One way that does work if you DMCA cloudflare they will cough up the origin host. Then if you DMCA the origin host it frequently gets shut down. It would be great if there was a pro-active way to just prevent it though. The JS canonical seems interesting.

In addition to the clones I also see people scraping everyone's titles and throwing them up on a BS site which always redirects to a random tube or advertiser from google serps.
TrafficTitan is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-13-2017, 11:35 PM   #25
Lewis11
Confirmed User
 
Industry Role:
Join Date: May 2016
Posts: 400
Nice info!
Lewis11 is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-14-2017, 07:17 AM   #26
sarettah
l8r
 
Industry Role:
Join Date: Oct 2002
Posts: 13,440
Bump for business

.
sarettah is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-14-2017, 08:06 AM   #27
wocnom
Confirmed User
 
wocnom's Avatar
 
Industry Role:
Join Date: Jan 2013
Posts: 132
I think there are like 3 possible ways to fight them. Notify about what they are doing:
  1. their domain registrar
  2. hosting they are using AND cloudflare
  3. google
Combine all of them is the best way I suppose. I think it's possible to use DMCA in all three cases.
wocnom is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-14-2017, 08:21 AM   #28
Barry-xlovecam
It's 42
 
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
Go to the registry and hit them with the sledgehammer.
Barry-xlovecam is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-14-2017, 09:01 AM   #29
TrafficTitan
Confirmed User
 
Industry Role:
Join Date: Nov 2012
Posts: 346
If you contact the domain registrar does that actually do anything? I've never tried DMCA'ing the registrar.
TrafficTitan is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-14-2017, 09:15 AM   #30
Barry-xlovecam
It's 42
 
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
The REGISTRY not the Registrar -- shit flows downhill -- you have never worked in the corporate world?
You go right to the COB or the CEO's office -- shit happens fast when you pull a tiger's tail.

Pay an Attorney to write the letter to the COB and send it Certified mail or by DHL (if overseas) -- the shit will hit the fans.
Barry-xlovecam is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-14-2017, 10:47 PM   #31
Craft
Confirmed User
 
Industry Role:
Join Date: Oct 2015
Posts: 169
Thes works

On the top of .htaccess files add this.

"Header always append X-Frame-Options SAMEORIGIN"
Craft is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-14-2017, 10:59 PM   #32
kmanrox
aka K-Man
 
kmanrox's Avatar
 
Industry Role:
Join Date: Oct 2001
Location: The Gutter
Posts: 29,271
Or via a custom scraper made in PHP that uses a pool of rotating client proxies, random, periodically.
__________________
Crypto HODLr
Crypto mining
Angel investor
kmanrox is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-15-2017, 02:39 AM   #33
Smut-Talk
I talk smut
 
Industry Role:
Join Date: Jul 2016
Location: Somewhere on the webz
Posts: 176
Craft made a point:

On the server you can set the X-Frame-Options header, which tells the web browser how to treat the page when it is framed. It is possible to set this header to DENY, which blocks all loading of the page via frames. By setting it to SAMEORIGIN you can relax the restrict and only allow framing by pages on the same domain.

On the Apache webserver this directive is set like so (on Debian/Ubuntu servers this is /etc/apache2/apache2.conf):

Code:
Header always append X-Frame-Options SAMEORIGIN
Alternatively if you are using nginx then you can implement it in the following way:

Code:
add_header X-Frame-Options SAMEORIGIN;

Unfortunately this header is only supported on more recent browsers


Now for legacy browsers you will need to drop back to using a JavaScript framebusting code. It goes without saying however that this can be circumvented by a potential attacker through techniques such as double framing and exploiting cross site scripting filters in some browsers.

Code:
if(top != self) { top.location = self.location; }
The latest recommendation from The Open Web Application Security Project (OWASP) is to include the following code in the <head> section of your web page:

Code:
<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>
This works by disabling the whole page using the CSS style at the beginning and then later on in the javascript checking to see that the page is not framed. It then removes the style from the pages HTML thereby revealing the content. If it is framed then it sets itself as the parent page.

This should work...

Still shit falls down quick, do as Barry said; Enough of this shit

Quote:
Complain to the registry to yank his ticket.
__________________
This is my awesome signature!
if you really have to, you can use: smuttalk-that apple thingy-websmut.com
Don't forget to mention GFY in the subject!

Last edited by Smut-Talk; 09-15-2017 at 02:44 AM.. Reason: cleaned up code
Smut-Talk is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-15-2017, 02:57 AM   #34
Smut-Talk
I talk smut
 
Industry Role:
Join Date: Jul 2016
Location: Somewhere on the webz
Posts: 176
Quote:
Originally Posted by RazorSharpe View Post
Have a very similar issue.

This is the offender's site: (google cache version)
https://webcache.googleusercontent.c...&ct=clnk&gl=uk

This is mine:
https://www.projectvoyeur.com

He has cloned over 100K pages on my site and counting. I contacted cloudflare who responded with their party line about not being the host so I was dead in the water.

Previously, when contacting google (DMCA), they have taken action on sites like this. This time however, they did pretty much nothing. The fact that this person is cloning my site and then serving cloaked pages (which is why I showed the cached version above), didn't seem to bother the folk at Google at all.

So I kinda figured I was stuck with this.
maybe this help really quick:

you can use .htaccess as the following

Code:
RewriteEngine On

RewriteCond %{QUERY_STRING} !^id=[^&]+ [NC]
# if referrer is bad.com
RewriteCond %{HTTP_REFERER} (www\.)?bad\.com [NC]
# then redirect to a different page
RewriteRule !^404.shtm [L,NC,R=302]
Just don't do a 404, do a redirect to a goatsie picture...
I think when his page visitors see that, they won't be coming back..
__________________
This is my awesome signature!
if you really have to, you can use: smuttalk-that apple thingy-websmut.com
Don't forget to mention GFY in the subject!
Smut-Talk is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 09-26-2017, 03:19 AM   #35
CrazyMartin
Confirmed User
 
Join Date: Jan 2009
Posts: 335
Js script is ugly and sometimes hard to do (put Js on every page) its much better redirect 301 or serve special page for scammer IPs


Cloudflare IPS never Access your site so redirect based on Cloudflare id useless

They use additional proxy and then sends to Cloudflare

SO Just grabb proxy IP by puting on your page PHP script that display Client IP and configure webserver to serve special page for particulal ip
CrazyMartin is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-22-2017, 12:02 AM   #36
JuicyBunny
So Fucking Banned
 
Industry Role:
Join Date: Jun 2010
Location: Tokyo Red Light District
Posts: 2,145
Quote:
Originally Posted by Barry-xlovecam View Post
The REGISTRY not the Registrar -- shit flows downhill -- you have never worked in the corporate world?
You go right to the COB or the CEO's office -- shit happens fast when you pull a tiger's tail.

Pay an Attorney to write the letter to the COB and send it Certified mail or by DHL (if overseas) -- the shit will hit the fans.
HI
Can you or someone PM me the information regarding the registry? Not sure what you are talking about besides registrar. We have sent DMCAs Google, host and registrar.
We have to file complaint against site cloning ours.
Thanks

Have tried K0nrads suggestions which were great but criminals seem to have found a work around even MojoHost cannot fix.
JuicyBunny is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-22-2017, 12:44 AM   #37
JuicyBunny
So Fucking Banned
 
Industry Role:
Join Date: Jun 2010
Location: Tokyo Red Light District
Posts: 2,145
I got it. Thanks!
JuicyBunny is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-23-2017, 12:33 AM   #38
Brad Mitchell
Confirmed User
 
Brad Mitchell's Avatar
 
Industry Role:
Join Date: Nov 2001
Location: Southfield, MI
Posts: 9,725
What a great thread and a good read. Excellent digging Konrad! Great additions from others, too. GFY could be greater than MAGA with more useful threads like this.

Brad
__________________
President at MojoHost | brad at mojohost dot com | Skype MojoHostBrad
69 industry awards for hosting and professional excellence since 1999
Brad Mitchell is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-23-2017, 01:10 AM   #39
Bladewire
StraightBro
 
Bladewire's Avatar
 
Industry Role:
Join Date: Aug 2003
Location: Monarch Beach, CA USA
Posts: 56,232




__________________


Skype: CallTomNow

Bladewire is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-23-2017, 04:57 AM   #40
MKA
Hey...
 
MKA's Avatar
 
Industry Role:
Join Date: Nov 2011
Location: NL
Posts: 497
So many opinions in one thread, so what is the best solution?
MKA is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-23-2017, 07:00 AM   #41
Barry-xlovecam
It's 42
 
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
  1. The solution is for dumb-ass Google to delist them.
  2. Dense users need be more aware of the browser address location bar.

You cannot stop crime or scammers -- that has been proven over and over historically.

Every registry (where the registrar buys the names they sell you) has a AUP and TOS and will (or should ) accept certified mail or a FedEx / DHL overnight letter with a complaint at their PHYSICAL ADDRESS. ICANN says they need a physical address to accept mail at -- do the legwork yourself or hire a lawyer (or other qualified person) to do it for you.
Barry-xlovecam is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-23-2017, 11:48 AM   #42
JuicyBunny
So Fucking Banned
 
Industry Role:
Join Date: Jun 2010
Location: Tokyo Red Light District
Posts: 2,145
Quote:
Originally Posted by Barry-xlovecam View Post
  1. The solution is for dumb-ass Google to delist them.
  2. Dense users need be more aware of the browser address location bar.

You cannot stop crime or scammers -- that has been proven over and over historically.

Every registry (where the registrar buys the names they sell you) has a AUP and TOS and will (or should ) accept certified mail or a FedEx / DHL overnight letter with a complaint at their PHYSICAL ADDRESS. ICANN says they need a physical address to accept mail at -- do the legwork yourself or hire a lawyer (or other qualified person) to do it for you.
Need to thank you for these registry tips. We had a domain lose its reg on the afternoon of the morning we filed an infringement notice for cloning.
We plan on using this method ALOT now because as you say scammers and criminals will not go away and it works. If you file the right complaint.
JuicyBunny is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-24-2017, 12:40 AM   #43
k0nr4d
Confirmed User
 
k0nr4d's Avatar
 
Industry Role:
Join Date: Aug 2006
Location: Poland
Posts: 9,157
What about putting some super unique piece of text on your site and using google search api to check if it exists on any other domain to check if anyone has done this to your site?
k0nr4d is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-24-2017, 01:38 PM   #44
JuicyBunny
So Fucking Banned
 
Industry Role:
Join Date: Jun 2010
Location: Tokyo Red Light District
Posts: 2,145
Quote:
Originally Posted by k0nr4d View Post
What about putting some super unique piece of text on your site and using google search api to check if it exists on any other domain to check if anyone has done this to your site?
Thats a good idea. We're doing a few things and have some friends helping as well.
JuicyBunny is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-24-2017, 03:08 PM   #45
SIK
Confirmed User
 
SIK's Avatar
 
Join Date: Dec 2006
Posts: 1,497
I've had my sites heavily affected by this shit over the years.

You'll probably call me crazy but - http://www.clone-site.com - I wrote all that in a day.

Will expand on it during the following days, and I'm actually going to clone a few sites on subdomains, just to demonstrate it all.

Silly as it can be, but my goal is to get this shit recognized as an issue and to get google to provide some kind of "report tool" for affected sites.

Yeah, I know - but I'm an optimist.
__________________
¤´¨)
¸.•´¸.•*´¨) ¸.•*¨)
(¸.•´ (¸.•`¤ICQ:491 496 482
SIK is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-24-2017, 03:22 PM   #46
Brad Mitchell
Confirmed User
 
Brad Mitchell's Avatar
 
Industry Role:
Join Date: Nov 2001
Location: Southfield, MI
Posts: 9,725
I'm not technical like the rest of our team here.. so hopefully I don't mangle this-

The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones. A clever hacker can work around Java obfuscation, too, though. One of our techs says "I've broken down sucuri's java obfuscation with a simple PHP script and a system call to the `node` java interpreter."

Sincerely,

Brad
__________________
President at MojoHost | brad at mojohost dot com | Skype MojoHostBrad
69 industry awards for hosting and professional excellence since 1999
Brad Mitchell is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-24-2017, 04:26 PM   #47
Barry-xlovecam
It's 42
 
Industry Role:
Join Date: Jun 2010
Location: Global
Posts: 18,083
Quote:
Originally Posted by JuicyBunny View Post
Need to thank you for these registry tips. We had a domain lose its reg on the afternoon of the morning we filed an infringement notice for cloning.
We plan on using this method ALOT now because as you say scammers and criminals will not go away and it works. If you file the right complaint.
Good to hear you got results.

I learned a long time ago shit flows downhill FAST.
Barry-xlovecam is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-25-2017, 05:02 AM   #48
xxx6live
Confirmed User
 
xxx6live's Avatar
 
Industry Role:
Join Date: Dec 2012
Location: Scandinavia
Posts: 261
Quote:
Originally Posted by Brad Mitchell View Post
I'm not technical like the rest of our team here.. so hopefully I don't mangle this-

The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones.
Yes, this works perfect most of the times.

But: one site of mine did not react to the javascript. They had learnt to use the

Code:
<iframe sandbox ...>
tag which stops script execution in the iframe, so the javascript in my iframed site was never being executed.
__________________
See the top models online now
xxx6live is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-25-2017, 05:29 AM   #49
JuicyBunny
So Fucking Banned
 
Industry Role:
Join Date: Jun 2010
Location: Tokyo Red Light District
Posts: 2,145
Quote:
Originally Posted by SIK View Post
I've had my sites heavily affected by this shit over the years.

You'll probably call me crazy but - http://www.clone-site.com - I wrote all that in a day.

Will expand on it during the following days, and I'm actually going to clone a few sites on subdomains, just to demonstrate it all.

Silly as it can be, but my goal is to get this shit recognized as an issue and to get google to provide some kind of "report tool" for affected sites.

Yeah, I know - but I'm an optimist.
Love the site. Very helpful.
You and Barry should hook up and create a solution to kill these fuckers.
Its obvious Google is less than receptive to helping.
JuicyBunny is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Old 11-25-2017, 05:34 AM   #50
JuicyBunny
So Fucking Banned
 
Industry Role:
Join Date: Jun 2010
Location: Tokyo Red Light District
Posts: 2,145
Quote:
Originally Posted by Brad Mitchell View Post
I'm not technical like the rest of our team here.. so hopefully I don't mangle this-

The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones. A clever hacker can work around Java obfuscation, too, though. One of our techs says "I've broken down sucuri's java obfuscation with a simple PHP script and a system call to the `node` java interpreter."

Sincerely,

Brad
Thats great advice. Your techs have been very helpful to us.
Still, we need a solution for people who are scraping and downloading our content to their sites. So far, no cure for that except to complain to cloudflare and the registries.
I'd like to block these guys before they create issues.
JuicyBunny is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote
Post New Thread Reply
Go Back   GoFuckYourself.com - Adult Webmaster Forum > >

Bookmarks

Tags
cloudflare, app, add, clientsdomain.com, server, clonedomain.com, website, domain, replacing, content, html, proxy, file, returning, cloning, suspect, hope, honeypot, placing, helps, hitting, method, adding, nginx/varnish, find/replace
Thread Tools



Advertising inquiries - marketing at gfy dot com

Contact Admin - Advertise - GFY Rules - Top

©2000-, AI Media Network Inc



Powered by vBulletin
Copyright © 2000- Jelsoft Enterprises Limited.