Tech Website cloning via proxy - GoFuckYourself.com

k0nr4d · 09-12-2017, 08:50 AM

The topic of website cloning has been coming up lately. I've figured out how people are doing it. This is in regards to the complete clone domains, not sites that have your site mirrored in a directory somewhere. There might be more ways to do this, this is what i've encountered though.

There are two variants, first via cloudflare:
1) Your website is added by someone to cloudflare, presumably as a cname - or possibly cnaming a domain that's not on cloudflare that has your domain as a cname.
2) They add the "Add Content" or Add HTML" App within cloudflare, which allows them to append content to your html on all pages.
3) There is another app somewhere in cloudflare that lets you replace words. So in this case, they were replacing clientsdomain.com with clonedomain.com. This really did my head in - $_SERVER['HTTP_HOST'] was returning clonedomain.com. In reality, the script was returning clientsdomain.com and replacing the word "clientsdomain.com" with "clonedomain.com". Literally, you could "clientsdomain.com into a text file, request it via the other domain and it outputted as "clonedomain.com"
4) The replacing of the domain I cannot figure out yet. I don't know how this is done, I can't find any cloudflare app that lets me do this but I suspect it's maybe done using JS somehow in that Add HTML App.

the second method is via nginx/varnish and THEN cloudflare in which case they do the find/replace and content adding via their server and then pass it along to cloudflare. In this case it may be possible to honeypot the proxy server by placing a new file, hitting it via the proxy domain and seeing what ip comes up in your server logs.

The only way I can think of bypassing this, is by doing javascript like this:

Code:

<script>
if(window.location.href.indexOf("yourd"+"omain.com") < 0) {
       window.location("http://yourd"+"omain.com"); 
}
</script>

or by completely shit-listing the cloudflare IPs on your server (in which case you won't be able to use cloudflare yourself):
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
104.16.0.0/12
108.162.192.0/18
131.0.72.0/22
141.101.64.0/18
162.158.0.0/15
172.64.0.0/13
173.245.48.0/20
188.114.96.0/20
190.93.240.0/20
197.234.240.0/22
198.41.128.0/17

Hope this helps someone

Adraco · 09-12-2017, 09:33 AM

Very nice explanation and most impressed by your level of knowledge to be able to figure this way out! Thanks for posting this Konrad!

sarettah · 09-12-2017, 10:12 AM

Good post K0nr4d, excellent break down of what it is.

Thanks

.

bns666 · 09-12-2017, 10:18 AM

cool, thanx

Barry-xlovecam · 09-12-2017, 10:23 AM

Thats what I was thinking their method was 'like'
Blocking Cloudflare IPs on servers EXCEPT where specifically needed is a good idea.

SAMEORIGIN would not help in this scenario.

Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations.

Thanks for looking into this Konrad.

BTW a 302 -301 domain redirection will work -- maybe even a page redirection -- this is working for lifeselector -- planed or not.

k0nr4d · 09-12-2017, 10:27 AM

Quote:

Originally Posted by Barry-xlovecam

Thats what I was thinking their method was 'like'
Blocking Cloudflare IPs on servers EXCEPT where specifically needed is a good idea.

SAMEORIGIN would not help in this scenario.

Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations.

Thanks for looking into this Konrad.

BTW a 302 -301 domain redirection will work -- maybe even a page redirection -- this is working for lifeselector -- planed or not.

Redirect won't work because from the proxies end the domain is correct. They are requesting domain1.com and reserving it as domain2.com. Only a redirect via JS like I wrote works, and you have to split the string into two so it doesn't get text-replaced.

sarettah · 09-12-2017, 10:35 AM

Quote:

Originally Posted by k0nr4d

Redirect won't work because from the proxies end the domain is correct. They are requesting domain1.com and reserving it as domain2.com. Only a redirect via JS like I wrote works, and you have to split the string into two so it doesn't get text-replaced.

You could probably make the domain base64 encoded instead of just splitting it, or base64 it and split it into multiple parts maybe. The more obfuscation the better.

.

sarettah · 09-12-2017, 10:36 AM

Quote:

Originally Posted by Barry-xlovecam

Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations.

Yeah, I would think that cloudflare would probably block something like this if they knew about it.

.

Barry-xlovecam · 09-12-2017, 10:38 AM

Do that lifeselector link on that page and look at the headers. Fluke maybe but it goes to a password protected page

The clone renders a blank page for affiliates.lifeselector and the password page is on another subdomain name 'assist'. The wrong CNAME maybe?

The problem is scumbags using Cloudlare for bad purposes. If Cloudflare does not clean up their act the USDOJ will eventually. I am not asserting any complicity on Cloudflare's part but if they abandoned their free service and made it a 30 trial with a low cost for small users -- then the scumbags would not use it because payment data is traceable and can be subpoenaed.

k0nr4d · 09-12-2017, 10:39 AM

Quote:

Originally Posted by sarettah

You could probably make the domain base64 encoded instead of just splitting it, or base64 it and split it into multiple parts maybe. The more obfuscation the better.

.

Yeah you could go much further with this, and run the whole js through one of those obfuscators to hide it as well, or even randomize it so it's
d+omain
do+main
dom+ain
dom+a+in
and so forth to prevent someone doing find/replace on the JS itself too.

Barry-xlovecam · 09-12-2017, 11:00 AM

In this case the framing is not malicious notwithstanding the SEO imprecations.
so use an obfuscated canonical tag rel=canonical to identify were the REAL site/domain is

Every site stealing SERPs I checked for xlovecam was using Cloudflare to obscure their host server. Every 'claimed' free password site or free tokens or credits site/domain was trying to hide behind Cloudflare. If it was to big of a problem, and worth the expense, we could sue the domain owners and subpoena Cloudflare.

I have absolutely no problem with servers using Cloudflare for its intended purpose -- mitigating ddos attacks and security filtering.

mikeworks · 09-12-2017, 11:04 AM

Thanks Konrad for sharing your information.

It's probably one of the biggest problems at the moment. I disavow them, but they must obviously still benefit from google and/or harm original site.

k0nr4d · 09-12-2017, 11:07 AM

Quote:

Originally Posted by Barry-xlovecam

In this case the framing is not malicious notwithstanding the SEO imprecations.
so use an obfuscated canonical tag rel=canonical to identify were the REAL site/domain is

Every site stealing SERPs I checked for xlovecam was using Cloudflare to obscure their host server. Every 'claimed' free password site or free tokens or credits site/domain was trying to hide behind Cloudflare. If it was to big of a problem, and worth the expense, we could sue the domain owners and subpoena Cloudflare.

I have absolutely no problem with servers using Cloudflare for its intended purpose -- mitigating ddos attacks and security filtering.

How exactly does an obfuscated canonicle tag look like? I've never seen or heard of that

Barry-xlovecam · 09-12-2017, 11:44 AM

Pretty much everyone agrees now that search engines CAN read JavaScript.

Code:

<script language="javascript">
<!--
// == Begin Free HTML Source Code Obfuscation Protection from http://snapbuilder.com == //
document.write(unescape('%3C%6C%69%6E%6B%20%72%65%6C%3D%22%63%61%6E%6F%6E%69%63%61%6C%22%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%65%78%61%6D%70%6C%65%2E%63%6F%6D%2F%77%6F%72%64%70%72%65%73%73%2F%73%65%6F%2D%70%6C%75%67%69%6E%2F%22%3E'));
//-->
</script>

Assuming you are right that text substitution is being used -- how are you going to read and substitute this? If you are a secret-agent you could grep and decode somehow i suppose -- what does this say -- just run the code in phantomjs. That is the way i might scrape the page. if you broke the JS code with + maybe it might fool the substitution but if you really want to get down to it

echo or cat (<input>)|sed 's/\n//g' then ....

Code:

echo '<script>if(window.location.href.indexOf("yourd"+"omain.com") < 0) {       window.location("http://yourd"+"omain.com"); }</script>'
|egrep  -o ".{0,20}\(window\.location\.href.{0,20}"
|sed 's/window/you are fucked now/g'
<script>if(you are fucked now.location.href.indexOf("yourd"+"om

fuckup the frame breaker JS

Sure as fuck won't hurt

to try rel=canonical .

Bladewire · 09-12-2017, 04:07 PM

Excellent info thanks!

Smut-Talk · 09-12-2017, 04:35 PM

Nice info for sure...

On the defensive of your site:

You can do a lot with htaccess.
FI: I use htaccess to stop hotlinking, put a redirect to a goatsie in it...

Barry, as promised on icq:

to "help" with scriptkiddies with scanning, i came across this:

!you can ZIP bomb a vuln scanner!

ZIP compression is really good with repetitive data so if you have a really huge text file which consists of repetitive data like all zeroes, it will compress it really good.
It can compress a 4.5 peta byte (4.500.000 giga bytes) file down to 42 kilo bytes.

When a browser/scanner extracts or decompresses the content it will most likely run out of disk space or RAM.

So firstly create a 10 giga byte GZIP file, or bigger, filled with zeroes.
And secondly a PHP script that will deliver it to a client.

Code:

<?php
$agent = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT');

//check for nikto, sql map or "bad" subfolders which only exist on wordpress
if (strpos($agent, 'nikto') !== false || strpos($agent, 'sqlmap') !== false || startswith($url,'wp-') || startswith($url,'wordpress') || startswith($url,'wp/'))
{
      sendBomb();
      exit();
}

function sendBomb(){
        //prepare the client to recieve GZIP data. This will not be suspicious
        //since most web servers use GZIP by default
        header("Content-Encoding: gzip");
        header("Content-Length: ".filesize('10G.gzip'));
        //Turn off output buffering
        if (ob_get_level()) ob_end_clean();
        //send the gzipped file to the client
        readfile('10G.gzip');
}

function startsWith($a, $b) { 
    return strpos($a, $b) === 0;
}

source: https://blog.haschek.at/post/f2fda

Barry-xlovecam · 09-12-2017, 05:06 PM

Code:

root@ds12-ams-2gb:~# whois odir.us
Domain Name:                                 ODIR.US
Domain ID:                                   D29663821-US
Sponsoring Registrar:                        UNITED-DOMAINS AG
Sponsoring Registrar IANA ID:                1408
Registrar URL (registration services):       www.united-domains.de
Domain Status:                               clientTransferProhibited
Registrant ID:                               C-SM7006B-QVRDOB
Registrant Name:                             Stefan Mayr
Registrant Address1:                         Mondscheingasse 6
Registrant City:                             Graz
Registrant Postal Code:                      8010
Registrant Country:                          Austria
Registrant Country Code:                     AT
Registrant Phone Number:                     +43.69910780807
Registrant Email:                            [email protected]
Registrant Application Purpose:              P1
Registrant Nexus Category:                   C31/AT
Administrative Contact ID:                   C-SM7006B-MIXAPZ
Administrative Contact Name:                 Stefan Mayr
Administrative Contact Address1:             Mondscheingasse 6
Administrative Contact City:                 Graz
Administrative Contact Postal Code:          8010
Administrative Contact Country:              Austria
Administrative Contact Country Code:         AT
Administrative Contact Phone Number:         +43.69910780807
Administrative Contact Email:                [email protected]
Administrative Application Purpose:          P1
Administrative Nexus Category:               C31/AT
Billing Contact ID:                          C-UHM65D7-HTWJET
Billing Contact Name:                        Host Master
Billing Contact Organization:                united-domains AG
Billing Contact Address1:                    Gautinger Str. 10
Billing Contact City:                        Starnberg
Billing Contact State/Province:              Bayern
Billing Contact Postal Code:                 82319
Billing Contact Country:                     Germany
Billing Contact Country Code:                DE
Billing Contact Phone Number:                +49.8151368670
Billing Contact Facsimile Number:            +49.81513686777
Billing Contact Email:                       [email protected]
Billing Application Purpose:                 P1
Billing Nexus Category:                      C31/AT
Technical Contact ID:                        C-UHM65D7-OYNZFB
Technical Contact Name:                      Host Master
Technical Contact Organization:              united-domains AG
Technical Contact Address1:                  Gautinger Str. 10
Technical Contact City:                      Starnberg
Technical Contact State/Province:            Bayern
Technical Contact Postal Code:               82319
Technical Contact Country:                   Germany
Technical Contact Country Code:              DE
Technical Contact Phone Number:              +49.8151368670
Technical Contact Facsimile Number:          +49.81513686777
Technical Contact Email:                     [email protected]
Technical Application Purpose:               P1
Technical Nexus Category:                    C31/AT
Name Server:                                 EMMA.NS.CLOUDFLARE.COM
Name Server:                                 IVAN.NS.CLOUDFLARE.COM
Created by Registrar:                        PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
Last Updated by Registrar:                   UNITED-DOMAINS AG
Last Transferred Date:                       Sun Apr 16 16:06:24 GMT 2017
Domain Registration Date:                    Thu Sep 16 04:52:42 GMT 2010
Domain Expiration Date:                      Sat Sep 15 23:59:59 GMT 2018
Domain Last Updated Date:                    Mon Apr 17 06:01:29 GMT 2017
DNSSEC:                                      false

Enough of this shit

Complain to the registry to yank his ticket.

usTLD Nexus Requirements Policy for Registrants| About.US - About.US

Quote:

usTLD Nexus
Requirements Policy

Registrants in the usTLD must be either:

1.A natural person (i) who is a United States citizen, (ii) who is a permanent resident of the United States of America or any of its possessions or territories, or (iii) whose primary place of domicile is in the United States of America or any of its possessions [Nexus Category 1],

2.A United States entity or organization that is (i) incorporated within one of the fifty (50) U.S. states, the District of Columbia, or any of the United States possessions or territories, or (ii) organized or otherwise constituted under the laws of a state of the United States of America, the District of Columbia or any of its possessions or territories (including a federal, state, or local government of the United States or a political subdivision thereof, and non-commercial organizations based in the United States) [Nexus Category 2], or

3.A foreign entity or organization that has a bona fide presence in the United States of America or any of its possessions or territories [Nexus Category 3].

Normally if it was a domain innocent of any real wrongdoing I would just leave this be -- but under these circumstances -- he can go fuck himself -- next move is yours ...

CaptainHowdy · 09-12-2017, 05:16 PM

All hail k0nr4d

...

Craft · 09-13-2017, 04:14 AM

Anyone knows how to check if your site is cloned ?

Paul&John · 09-13-2017, 04:44 AM

Nice info k0nr4d!

CaptainHowdy · 09-13-2017, 06:10 AM

Bump for a great thread ...

mikeworks · 09-13-2017, 09:50 AM

Quote:

Originally Posted by Craft

Anyone knows how to check if your site is cloned ?

Check webmaster tools for backlinks from a cloned domain.

RazorSharpe · 09-13-2017, 10:19 AM

Have a very similar issue.

This is the offender's site: (google cache version)
https://webcache.googleusercontent.c...&ct=clnk&gl=uk

This is mine:
https://www.projectvoyeur.com

He has cloned over 100K pages on my site and counting. I contacted cloudflare who responded with their party line about not being the host so I was dead in the water.

Previously, when contacting google (DMCA), they have taken action on sites like this. This time however, they did pretty much nothing. The fact that this person is cloning my site and then serving cloaked pages (which is why I showed the cached version above), didn't seem to bother the folk at Google at all.

So I kinda figured I was stuck with this.

TrafficTitan · 09-13-2017, 09:01 PM

Google is too dumb to understand their cloaking. DMCA sometimes work but not always.

Can you DMCA an entire domain?
Does anybody have a good standardized message to send to google that works?

Has anybody come up with a rock solid way to stop them? I've already implemented banning all cloudflare IPs. One way that does work if you DMCA cloudflare they will cough up the origin host. Then if you DMCA the origin host it frequently gets shut down. It would be great if there was a pro-active way to just prevent it though. The JS canonical seems interesting.

In addition to the clones I also see people scraping everyone's titles and throwing them up on a BS site which always redirects to a random tube or advertiser from google serps.

Lewis11 · 09-13-2017, 11:35 PM

Nice info!

sarettah · 09-14-2017, 07:17 AM

Bump for business

.

wocnom · 09-14-2017, 08:06 AM

I think there are like 3 possible ways to fight them. Notify about what they are doing:

their domain registrar
hosting they are using AND cloudflare
google

Combine all of them is the best way I suppose. I think it's possible to use DMCA in all three cases.

Barry-xlovecam · 09-14-2017, 08:21 AM

Go to the registry and hit them with the sledgehammer.

TrafficTitan · 09-14-2017, 09:01 AM

If you contact the domain registrar does that actually do anything? I've never tried DMCA'ing the registrar.

Barry-xlovecam · 09-14-2017, 09:15 AM

The REGISTRY not the Registrar -- shit flows downhill -- you have never worked in the corporate world?
You go right to the COB or the CEO's office -- shit happens fast when you pull a tiger's tail.

Pay an Attorney to write the letter to the COB and send it Certified mail or by DHL (if overseas) -- the shit will hit the fans.

Craft · 09-14-2017, 10:47 PM

Thes works

On the top of .htaccess files add this.

"Header always append X-Frame-Options SAMEORIGIN"

kmanrox · 09-14-2017, 10:59 PM

Or via a custom scraper made in PHP that uses a pool of rotating client proxies, random, periodically.

Smut-Talk · 09-15-2017, 02:39 AM

Craft made a point:

On the server you can set the X-Frame-Options header, which tells the web browser how to treat the page when it is framed. It is possible to set this header to DENY, which blocks all loading of the page via frames. By setting it to SAMEORIGIN you can relax the restrict and only allow framing by pages on the same domain.

On the Apache webserver this directive is set like so (on Debian/Ubuntu servers this is /etc/apache2/apache2.conf):

Code:

Header always append X-Frame-Options SAMEORIGIN

Alternatively if you are using nginx then you can implement it in the following way:

Code:

add_header X-Frame-Options SAMEORIGIN;

Unfortunately this header is only supported on more recent browsers

Now for legacy browsers you will need to drop back to using a JavaScript framebusting code. It goes without saying however that this can be circumvented by a potential attacker through techniques such as double framing and exploiting cross site scripting filters in some browsers.

Code:

if(top != self) { top.location = self.location; }

The latest recommendation from The Open Web Application Security Project (OWASP) is to include the following code in the <head> section of your web page:

Code:

<style id="antiClickjack">body{display:none !important;}</style>
<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>

This works by disabling the whole page using the CSS style at the beginning and then later on in the javascript checking to see that the page is not framed. It then removes the style from the pages HTML thereby revealing the content. If it is framed then it sets itself as the parent page.

This should work...

Still shit falls down quick, do as Barry said; Enough of this shit

Quote:

Complain to the registry to yank his ticket.

Smut-Talk · 09-15-2017, 02:57 AM

Quote:

Originally Posted by RazorSharpe

Have a very similar issue.

This is the offender's site: (google cache version)
https://webcache.googleusercontent.c...&ct=clnk&gl=uk

This is mine:
https://www.projectvoyeur.com

He has cloned over 100K pages on my site and counting. I contacted cloudflare who responded with their party line about not being the host so I was dead in the water.

Previously, when contacting google (DMCA), they have taken action on sites like this. This time however, they did pretty much nothing. The fact that this person is cloning my site and then serving cloaked pages (which is why I showed the cached version above), didn't seem to bother the folk at Google at all.

So I kinda figured I was stuck with this.

maybe this help really quick:

you can use .htaccess as the following

Code:

RewriteEngine On

RewriteCond %{QUERY_STRING} !^id=[^&]+ [NC]
# if referrer is bad.com
RewriteCond %{HTTP_REFERER} (www\.)?bad\.com [NC]
# then redirect to a different page
RewriteRule !^404.shtm [L,NC,R=302]

Just don't do a 404, do a redirect to a goatsie picture...

I think when his page visitors see that, they won't be coming back..

CrazyMartin · 09-26-2017, 03:19 AM

Js script is ugly and sometimes hard to do (put Js on every page) its much better redirect 301 or serve special page for scammer IPs

Cloudflare IPS never Access your site so redirect based on Cloudflare id useless

They use additional proxy and then sends to Cloudflare

SO Just grabb proxy IP by puting on your page PHP script that display Client IP and configure webserver to serve special page for particulal ip

JuicyBunny · 11-22-2017, 12:02 AM

Quote:

Originally Posted by Barry-xlovecam

The REGISTRY not the Registrar -- shit flows downhill -- you have never worked in the corporate world?
You go right to the COB or the CEO's office -- shit happens fast when you pull a tiger's tail.

Pay an Attorney to write the letter to the COB and send it Certified mail or by DHL (if overseas) -- the shit will hit the fans.

HI
Can you or someone PM me the information regarding the registry? Not sure what you are talking about besides registrar. We have sent DMCAs Google, host and registrar.
We have to file complaint against site cloning ours.
Thanks

Have tried K0nrads suggestions which were great but criminals seem to have found a work around even MojoHost cannot fix.

JuicyBunny · 11-22-2017, 12:44 AM

I got it. Thanks!

Brad Mitchell · 11-23-2017, 12:33 AM

What a great thread and a good read. Excellent digging Konrad! Great additions from others, too. GFY could be greater than MAGA with more useful threads like this.

Brad

Bladewire · 11-23-2017, 01:10 AM

MKA · 11-23-2017, 04:57 AM

So many opinions in one thread, so what is the best solution?

Barry-xlovecam · 11-23-2017, 07:00 AM

The solution is for dumb-ass Google to delist them.
Dense users need be more aware of the browser address location bar.

You cannot stop crime or scammers -- that has been proven over and over historically.

Every registry (where the registrar buys the names they sell you) has a AUP and TOS and will (or should ) accept certified mail or a FedEx / DHL overnight letter with a complaint at their PHYSICAL ADDRESS. ICANN says they need a physical address to accept mail at -- do the legwork yourself or hire a lawyer (or other qualified person) to do it for you.

JuicyBunny · 11-23-2017, 11:48 AM

Quote:

Originally Posted by Barry-xlovecam

The solution is for dumb-ass Google to delist them.
Dense users need be more aware of the browser address location bar.

You cannot stop crime or scammers -- that has been proven over and over historically.

Every registry (where the registrar buys the names they sell you) has a AUP and TOS and will (or should ) accept certified mail or a FedEx / DHL overnight letter with a complaint at their PHYSICAL ADDRESS. ICANN says they need a physical address to accept mail at -- do the legwork yourself or hire a lawyer (or other qualified person) to do it for you.

Need to thank you for these registry tips. We had a domain lose its reg on the afternoon of the morning we filed an infringement notice for cloning.
We plan on using this method ALOT now because as you say scammers and criminals will not go away and it works. If you file the right complaint.

k0nr4d · 11-24-2017, 12:40 AM

What about putting some super unique piece of text on your site and using google search api to check if it exists on any other domain to check if anyone has done this to your site?

JuicyBunny · 11-24-2017, 01:38 PM

Quote:

Originally Posted by k0nr4d

What about putting some super unique piece of text on your site and using google search api to check if it exists on any other domain to check if anyone has done this to your site?

Thats a good idea. We're doing a few things and have some friends helping as well.

SIK · 11-24-2017, 03:08 PM

I've had my sites heavily affected by this shit over the years.

You'll probably call me crazy but - http://www.clone-site.com - I wrote all that in a day.

Will expand on it during the following days, and I'm actually going to clone a few sites on subdomains, just to demonstrate it all.

Silly as it can be, but my goal is to get this shit recognized as an issue and to get google to provide some kind of "report tool" for affected sites.

Yeah, I know - but I'm an optimist.

Brad Mitchell · 11-24-2017, 03:22 PM

I'm not technical like the rest of our team here.. so hopefully I don't mangle this-

The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones. A clever hacker can work around Java obfuscation, too, though. One of our techs says "I've broken down sucuri's java obfuscation with a simple PHP script and a system call to the `node` java interpreter."

Sincerely,

Brad

Barry-xlovecam · 11-24-2017, 04:26 PM

Quote:

Originally Posted by JuicyBunny

Need to thank you for these registry tips. We had a domain lose its reg on the afternoon of the morning we filed an infringement notice for cloning.
We plan on using this method ALOT now because as you say scammers and criminals will not go away and it works. If you file the right complaint.

Good to hear you got results.

I learned a long time ago shit flows downhill FAST.

xxx6live · 11-25-2017, 05:02 AM

Quote:

Originally Posted by Brad Mitchell

I'm not technical like the rest of our team here.. so hopefully I don't mangle this-

The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones.

Yes, this works perfect most of the times.

But: one site of mine did not react to the javascript. They had learnt to use the

Code:

<iframe sandbox ...>

tag which stops script execution in the iframe, so the javascript in my iframed site was never being executed.

JuicyBunny · 11-25-2017, 05:29 AM

Quote:

Originally Posted by SIK

I've had my sites heavily affected by this shit over the years.

You'll probably call me crazy but - http://www.clone-site.com - I wrote all that in a day.

Will expand on it during the following days, and I'm actually going to clone a few sites on subdomains, just to demonstrate it all.

Silly as it can be, but my goal is to get this shit recognized as an issue and to get google to provide some kind of "report tool" for affected sites.

Yeah, I know - but I'm an optimist.

Love the site. Very helpful.

You and Barry should hook up and create a solution to kill these fuckers.
Its obvious Google is less than receptive to helping.

JuicyBunny · 11-25-2017, 05:34 AM

Quote:

Originally Posted by Brad Mitchell

I'm not technical like the rest of our team here.. so hopefully I don't mangle this-

The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones. A clever hacker can work around Java obfuscation, too, though. One of our techs says "I've broken down sucuri's java obfuscation with a simple PHP script and a system call to the `node` java interpreter."

Sincerely,

Brad

Thats great advice. Your techs have been very helpful to us.
Still, we need a solution for people who are scraping and downloading our content to their sites. So far, no cure for that except to complain to cloudflare and the registries.
I'd like to block these guys before they create issues.

09-12-2017, 08:50 AM	#1
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,228	Website cloning via proxy The topic of website cloning has been coming up lately. I've figured out how people are doing it. This is in regards to the complete clone domains, not sites that have your site mirrored in a directory somewhere. There might be more ways to do this, this is what i've encountered though. There are two variants, first via cloudflare: 1) Your website is added by someone to cloudflare, presumably as a cname - or possibly cnaming a domain that's not on cloudflare that has your domain as a cname. 2) They add the "Add Content" or Add HTML" App within cloudflare, which allows them to append content to your html on all pages. 3) There is another app somewhere in cloudflare that lets you replace words. So in this case, they were replacing clientsdomain.com with clonedomain.com. This really did my head in - $_SERVER['HTTP_HOST'] was returning clonedomain.com. In reality, the script was returning clientsdomain.com and replacing the word "clientsdomain.com" with "clonedomain.com". Literally, you could "clientsdomain.com into a text file, request it via the other domain and it outputted as "clonedomain.com" 4) The replacing of the domain I cannot figure out yet. I don't know how this is done, I can't find any cloudflare app that lets me do this but I suspect it's maybe done using JS somehow in that Add HTML App. the second method is via nginx/varnish and THEN cloudflare in which case they do the find/replace and content adding via their server and then pass it along to cloudflare. In this case it may be possible to honeypot the proxy server by placing a new file, hitting it via the proxy domain and seeing what ip comes up in your server logs. The only way I can think of bypassing this, is by doing javascript like this: Code: <script> if(window.location.href.indexOf("yourd"+"omain.com") < 0) { window.location("http://yourd"+"omain.com"); } </script> or by completely shit-listing the cloudflare IPs on your server (in which case you won't be able to use cloudflare yourself): 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 104.16.0.0/12 108.162.192.0/18 131.0.72.0/22 141.101.64.0/18 162.158.0.0/15 172.64.0.0/13 173.245.48.0/20 188.114.96.0/20 190.93.240.0/20 197.234.240.0/22 198.41.128.0/17 Hope this helps someone __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

09-12-2017, 09:33 AM	#2
Adraco Confirmed User Industry Role: Join Date: May 2009 Location: Onboard an airplane around the globe Posts: 3,733	Very nice explanation and most impressed by your level of knowledge to be able to figure this way out! Thanks for posting this Konrad! __________________ ---------------------------------------------------------------------------------- The truth is not affected by the beliefs, or doubts, of the majority.

09-12-2017, 10:12 AM	#3
sarettah see you later, I'm gone Industry Role: Join Date: Oct 2002 Posts: 14,055	Good post K0nr4d, excellent break down of what it is. Thanks . __________________ All cookies cleared!

09-12-2017, 10:18 AM	#4
bns666 Confirmed Fetishist Industry Role: Join Date: Mar 2005 Location: Fetishland Posts: 11,521	cool, thanx __________________ ⭐ CAM SODA ⭐ STRIPCHAT ⭐ ⭐ CHATURBATE ⭐ X LOVE CAM ⭐

09-12-2017, 11:44 AM	#14
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	Pretty much everyone agrees now that search engines CAN read JavaScript. Code: <script language="javascript"> <!-- // == Begin Free HTML Source Code Obfuscation Protection from http://snapbuilder.com == // document.write(unescape('%3C%6C%69%6E%6B%20%72%65%6C%3D%22%63%61%6E%6F%6E%69%63%61%6C%22%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%65%78%61%6D%70%6C%65%2E%63%6F%6D%2F%77%6F%72%64%70%72%65%73%73%2F%73%65%6F%2D%70%6C%75%67%69%6E%2F%22%3E')); //--> </script> Assuming you are right that text substitution is being used -- how are you going to read and substitute this? If you are a secret-agent you could grep and decode somehow i suppose -- what does this say -- just run the code in phantomjs. That is the way i might scrape the page. if you broke the JS code with + maybe it might fool the substitution but if you really want to get down to it echo or cat (<input>)\|sed 's/\n//g' then .... Code: echo '<script>if(window.location.href.indexOf("yourd"+"omain.com") < 0) { window.location("http://yourd"+"omain.com"); }</script>' \|egrep -o ".{0,20}\(window\.location\.href.{0,20}" \|sed 's/window/you are fucked now/g' <script>if(you are fucked now.location.href.indexOf("yourd"+"om fuckup the frame breaker JS Sure as fuck won't hurt to try rel=canonical .

09-12-2017, 10:23 AM	#5
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	Thats what I was thinking their method was 'like' Blocking Cloudflare IPs on servers EXCEPT where specifically needed is a good idea. SAMEORIGIN would not help in this scenario. Cloudflare needs to police their clients better -- copyright infringement and fraud most likely are Cloudflare TOS violations. Thanks for looking into this Konrad. BTW a 302 -301 domain redirection will work -- maybe even a page redirection -- this is working for lifeselector -- planed or not.

09-12-2017, 10:38 AM	#9
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	Do that lifeselector link on that page and look at the headers. Fluke maybe but it goes to a password protected page The clone renders a blank page for affiliates.lifeselector and the password page is on another subdomain name 'assist'. The wrong CNAME maybe? The problem is scumbags using Cloudlare for bad purposes. If Cloudflare does not clean up their act the USDOJ will eventually. I am not asserting any complicity on Cloudflare's part but if they abandoned their free service and made it a 30 trial with a low cost for small users -- then the scumbags would not use it because payment data is traceable and can be subpoenaed.

09-12-2017, 11:00 AM	#11
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	In this case the framing is not malicious notwithstanding the SEO imprecations. so use an obfuscated canonical tag rel=canonical to identify were the REAL site/domain is Every site stealing SERPs I checked for xlovecam was using Cloudflare to obscure their host server. Every 'claimed' free password site or free tokens or credits site/domain was trying to hide behind Cloudflare. If it was to big of a problem, and worth the expense, we could sue the domain owners and subpoena Cloudflare. I have absolutely no problem with servers using Cloudflare for its intended purpose -- mitigating ddos attacks and security filtering.

09-12-2017, 11:04 AM	#12
mikeworks Confirmed User Join Date: Apr 2010 Posts: 272	Thanks Konrad for sharing your information. It's probably one of the biggest problems at the moment. I disavow them, but they must obviously still benefit from google and/or harm original site.

09-12-2017, 04:07 PM	#15
Bladewire StraightBro Industry Role: Join Date: Aug 2003 Location: Monarch Beach, CA USA Posts: 56,232	Excellent info thanks!

09-12-2017, 04:35 PM	#16
Smut-Talk I talk smut Industry Role: Join Date: Jul 2016 Location: Somewhere on the webz Posts: 176	Nice info for sure... On the defensive of your site: You can do a lot with htaccess. FI: I use htaccess to stop hotlinking, put a redirect to a goatsie in it... Barry, as promised on icq: to "help" with scriptkiddies with scanning, i came across this: !you can ZIP bomb a vuln scanner! ZIP compression is really good with repetitive data so if you have a really huge text file which consists of repetitive data like all zeroes, it will compress it really good. It can compress a 4.5 peta byte (4.500.000 giga bytes) file down to 42 kilo bytes. When a browser/scanner extracts or decompresses the content it will most likely run out of disk space or RAM. So firstly create a 10 giga byte GZIP file, or bigger, filled with zeroes. And secondly a PHP script that will deliver it to a client. Code: <?php $agent = filter_input(INPUT_SERVER, 'HTTP_USER_AGENT'); //check for nikto, sql map or "bad" subfolders which only exist on wordpress if (strpos($agent, 'nikto') !== false \|\| strpos($agent, 'sqlmap') !== false \|\| startswith($url,'wp-') \|\| startswith($url,'wordpress') \|\| startswith($url,'wp/')) { sendBomb(); exit(); } function sendBomb(){ //prepare the client to recieve GZIP data. This will not be suspicious //since most web servers use GZIP by default header("Content-Encoding: gzip"); header("Content-Length: ".filesize('10G.gzip')); //Turn off output buffering if (ob_get_level()) ob_end_clean(); //send the gzipped file to the client readfile('10G.gzip'); } function startsWith($a, $b) { return strpos($a, $b) === 0; } source: https://blog.haschek.at/post/f2fda __________________ This is my awesome signature! if you really have to, you can use: smuttalk-that apple thingy-websmut.com Don't forget to mention GFY in the subject!

09-12-2017, 05:16 PM	#18
CaptainHowdy Too lazy to set a custom title Industry Role: Join Date: Dec 2004 Location: Happy in the dark. Posts: 92,999	All hail k0nr4d ... __________________ FLASH SALE INSANITY! deal with a 100% Trusted Seller Buy Traffic Spots on a High-Quality Network 1 Year or Lifetime — That’s Right, Until the Internet Explodes!

09-13-2017, 04:14 AM	#19
Craft Confirmed User Industry Role: Join Date: Oct 2015 Posts: 169	Anyone knows how to check if your site is cloned ?

09-13-2017, 04:44 AM	#20
Paul&John Confirmed User Industry Role: Join Date: Aug 2005 Location: YUROP Posts: 8,595	Nice info k0nr4d! __________________ Use coupon 'pauljohn' for a $1 discount at already super cheap NameSilo! Anal Webcams \| Kinky Trans Cams Live \| Hotwife XXX Tube \| Get your Proxies here

09-13-2017, 06:10 AM	#21
CaptainHowdy Too lazy to set a custom title Industry Role: Join Date: Dec 2004 Location: Happy in the dark. Posts: 92,999	Bump for a great thread ... __________________ FLASH SALE INSANITY! deal with a 100% Trusted Seller Buy Traffic Spots on a High-Quality Network 1 Year or Lifetime — That’s Right, Until the Internet Explodes!

09-13-2017, 10:19 AM	#23
RazorSharpe Confirmed User Industry Role: Join Date: Aug 2001 Location: Scotland Posts: 2,238	Have a very similar issue. This is the offender's site: (google cache version) https://webcache.googleusercontent.c...&ct=clnk&gl=uk This is mine: https://www.projectvoyeur.com He has cloned over 100K pages on my site and counting. I contacted cloudflare who responded with their party line about not being the host so I was dead in the water. Previously, when contacting google (DMCA), they have taken action on sites like this. This time however, they did pretty much nothing. The fact that this person is cloning my site and then serving cloaked pages (which is why I showed the cached version above), didn't seem to bother the folk at Google at all. So I kinda figured I was stuck with this. __________________ Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

09-13-2017, 09:01 PM	#24
TrafficTitan Confirmed User Industry Role: Join Date: Nov 2012 Posts: 350	Google is too dumb to understand their cloaking. DMCA sometimes work but not always. Can you DMCA an entire domain? Does anybody have a good standardized message to send to google that works? Has anybody come up with a rock solid way to stop them? I've already implemented banning all cloudflare IPs. One way that does work if you DMCA cloudflare they will cough up the origin host. Then if you DMCA the origin host it frequently gets shut down. It would be great if there was a pro-active way to just prevent it though. The JS canonical seems interesting. In addition to the clones I also see people scraping everyone's titles and throwing them up on a BS site which always redirects to a random tube or advertiser from google serps. __________________ https://www.hentaicity.com/ \| http://www.traffictitan.com/

09-13-2017, 11:35 PM	#25
Lewis11 Confirmed User Industry Role: Join Date: May 2016 Posts: 400	Nice info!

09-14-2017, 07:17 AM	#26
sarettah see you later, I'm gone Industry Role: Join Date: Oct 2002 Posts: 14,055	Bump for business . __________________ All cookies cleared!

09-14-2017, 08:06 AM	#27
wocnom Confirmed User Industry Role: Join Date: Jan 2013 Posts: 132	I think there are like 3 possible ways to fight them. Notify about what they are doing: their domain registrar hosting they are using AND cloudflare google Combine all of them is the best way I suppose. I think it's possible to use DMCA in all three cases.

09-14-2017, 08:21 AM	#28
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	Go to the registry and hit them with the sledgehammer.

09-14-2017, 09:01 AM	#29
TrafficTitan Confirmed User Industry Role: Join Date: Nov 2012 Posts: 350	If you contact the domain registrar does that actually do anything? I've never tried DMCA'ing the registrar. __________________ https://www.hentaicity.com/ \| http://www.traffictitan.com/

09-14-2017, 09:15 AM	#30
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	The REGISTRY not the Registrar -- shit flows downhill -- you have never worked in the corporate world? You go right to the COB or the CEO's office -- shit happens fast when you pull a tiger's tail. Pay an Attorney to write the letter to the COB and send it Certified mail or by DHL (if overseas) -- the shit will hit the fans.

09-14-2017, 10:47 PM	#31
Craft Confirmed User Industry Role: Join Date: Oct 2015 Posts: 169	Thes works On the top of .htaccess files add this. "Header always append X-Frame-Options SAMEORIGIN"

09-14-2017, 10:59 PM	#32
kmanrox aka K-Man Industry Role: Join Date: Oct 2001 Location: The Gutter Posts: 29,282	Or via a custom scraper made in PHP that uses a pool of rotating client proxies, random, periodically. __________________ Crypto HODLr Crypto mining Angel investor

09-26-2017, 03:19 AM	#35
CrazyMartin Confirmed User Join Date: Jan 2009 Posts: 338	Js script is ugly and sometimes hard to do (put Js on every page) its much better redirect 301 or serve special page for scammer IPs Cloudflare IPS never Access your site so redirect based on Cloudflare id useless They use additional proxy and then sends to Cloudflare SO Just grabb proxy IP by puting on your page PHP script that display Client IP and configure webserver to serve special page for particulal ip

11-22-2017, 12:44 AM	#37
JuicyBunny So Fucking Banned Industry Role: Join Date: Jun 2010 Location: Tokyo Red Light District Posts: 2,145	I got it. Thanks!

11-23-2017, 12:33 AM	#38
Brad Mitchell Confirmed User Industry Role: Join Date: Nov 2001 Location: Southfield, MI Posts: 9,811	What a great thread and a good read. Excellent digging Konrad! Great additions from others, too. GFY could be greater than MAGA with more useful threads like this. Brad __________________ President at MojoHost \| brad at mojohost dot com \| Skype MojoHostBrad 71 industry awards for hosting and professional excellence since 1999

11-23-2017, 01:10 AM	#39
Bladewire StraightBro Industry Role: Join Date: Aug 2003 Location: Monarch Beach, CA USA Posts: 56,232	__________________ Skype: CallTomNow

11-23-2017, 04:57 AM	#40
MKA Hey... Industry Role: Join Date: Nov 2011 Location: NL Posts: 545	So many opinions in one thread, so what is the best solution?

11-23-2017, 07:00 AM	#41
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	The solution is for dumb-ass Google to delist them. Dense users need be more aware of the browser address location bar. You cannot stop crime or scammers -- that has been proven over and over historically. Every registry (where the registrar buys the names they sell you) has a AUP and TOS and will (or should ) accept certified mail or a FedEx / DHL overnight letter with a complaint at their PHYSICAL ADDRESS. ICANN says they need a physical address to accept mail at -- do the legwork yourself or hire a lawyer (or other qualified person) to do it for you.

11-24-2017, 12:40 AM	#43
k0nr4d Confirmed User Industry Role: Join Date: Aug 2006 Location: Poland Posts: 9,228	What about putting some super unique piece of text on your site and using google search api to check if it exists on any other domain to check if anyone has done this to your site? __________________ Mechanical Bunny Media Mechbunny Tube Script \| Mechbunny Webcam Aggregator Script \| Custom Web Development

11-24-2017, 03:08 PM	#45
SIK Confirmed User Join Date: Dec 2006 Posts: 1,497	I've had my sites heavily affected by this shit over the years. You'll probably call me crazy but - http://www.clone-site.com - I wrote all that in a day. Will expand on it during the following days, and I'm actually going to clone a few sites on subdomains, just to demonstrate it all. Silly as it can be, but my goal is to get this shit recognized as an issue and to get google to provide some kind of "report tool" for affected sites. Yeah, I know - but I'm an optimist. __________________ ¤´¨) ¸.•´¸.•´¨) ¸.•¨) (¸.•´ (¸.•`¤ICQ:491 496 482

11-24-2017, 03:22 PM	#46
Brad Mitchell Confirmed User Industry Role: Join Date: Nov 2001 Location: Southfield, MI Posts: 9,811	I'm not technical like the rest of our team here.. so hopefully I don't mangle this- The feedback I'm hearing internally here is that Java code is the best way to address it. While it may need to be addressed on a case by case basis, writing a piece of code like that or to break the Iframe has been the solution we have used for more difficult ones. A clever hacker can work around Java obfuscation, too, though. One of our techs says "I've broken down sucuri's java obfuscation with a simple PHP script and a system call to the `node` java interpreter." Sincerely, Brad __________________ President at MojoHost \| brad at mojohost dot com \| Skype MojoHostBrad 71 industry awards for hosting and professional excellence since 1999