Question What is this? http://gbatemp.gukovo.org/

[d0k3]

As the title says. I found this by accident via Google. Seems to be an exact mirror of GBAtemp.net. I was too scared (but still somewhat tempted) to use my login data to login there.

Gukovo, btw, is a a town in Russia.

 

[FAST6191]

Yeah do not use your login data on clone sites. It is not a good plan.

They appear to be on different IPs and looking at the source it looks like an odd mirror (the copy is missing various indentation and layout). The domain uses some kind of privacy blocking for whois requests (somewhere in Australia but mine are based in Canada so that means nothing)

It could still be a mirror spammer that stepped out of a time machine from 2008 but I really did think most of those went away outside China. If I had to guess some web developer somewhere is having some fun with http://curl.haxx.se/ or something similar and used GBAtemp as a test site, though the adfly link in the source makes me wonder if it is not instead a kind of proxy/mirror type site to access things at work/school and maybe gain some monies along the way when shared with their mates. The IP I get from it traces back to cloudflare but such things are often free with basic hosting so I am not going to go too much further there. The domain itself also appears to be on email blacklists too. I am not invested enough in this to do the full hacker workup/analysis.

 

[d0k3]

Look at that - they even go the extra mile and replace all occurences of "gbatemp.net" with "gbatemp.gukovo.org":

On another note, our user accounts don't seem to work there. I entered my username with a wrong password and got the sign up form.

 

[Frederica Bernkastel]

Looking at this site, it seems to be a caching proxy of some kind - I would assume Squid or Varnish - with some rewrite logic, hooked up directly to Cloudflare for obfuscating its origin. Making requests to its copy of the login page redirects to the Registration page which is indicative of it not actually making backend requests so I would assume that it's actually fairly harmless. Possibly a ploy to mess with SEO, or as FAST said someone trying to bypass a URL filter?

 

[Deleted User]

They did the same with my site (nicoblog) i'm all ears on how to stop them.

Edit: I've asked cloudflare for their real hosting.

 

[Blaze163]

Just a cheap imitation. Doesn't even have an Evil Pikachu.

 

[Gukovo Sucks]

If you find him using any ads on your mirrored site view the source code to find the ad code and then contact the ad networks he is using and this will prevent him from profiting off it. As for copying the site, not much we can do but report him to Google and his web host or you could also issue DMCA notices against his site as well. He is ripping off mostly gaming related sites and basically steals all their traffic and profits off it.

 

[Deleted User]

If you find him using any ads on your mirrored site view the source code to find the ad code and then contact the ad networks he is using and this will prevent him from profiting off it. As for copying the site, not much we can do but report him to Google and his web host or you could also issue DMCA notices against his site as well. He is ripping off mostly gaming related sites and basically steals all their traffic and profits off it.

Let me guess, they copied your site too?

 

[yodamerlin]

They did the same with my site (nicoblog) i'm all ears on how to stop them.

Edit: I've asked cloudflare for their real hosting.

Surly you could discover their IP since they have got your site. Just add some random file to the webserver, and access in through the proxy/whatever it is. Then check the logs on what accessed that file.

 

[DarkFlare69]

If you find him using any ads on your mirrored site view the source code to find the ad code and then contact the ad networks he is using and this will prevent him from profiting off it. As for copying the site, not much we can do but report him to Google and his web host or you could also issue DMCA notices against his site as well. He is ripping off mostly gaming related sites and basically steals all their traffic and profits off it.

You made an account here just to say they suck? xD

 

[HaloEffect17]

I wouldn't trust that mirror site, exactly.

 

[osm70]

My account doesn't work. Registration is broken and doesn't work.
So, how is anyone supposed to do anything?

 

[Depravo]

My account doesn't work. Registration is broken and doesn't work.
So, how is anyone supposed to do anything?

But now they have your password. I expect your account will be making posts about male enhancement pills any day now.

 

[osm70]

But now they have your password. I expect your account will be making posts about male enhancement pills any day now.

I am not that stupid. Password can be changed.

 

[Deleted User]

I've filled my complain to cloudflare and they forwarded it to their hosting.
If GBATemp wants to fill a complain as well here is the info:

Hosting Provider: INFERNO-NL-DE
Abuse Contact: [email protected]

 

[Deleted User]

Sorry for doublepost but i think it's important to announce they stopped doing it for both gbatemp and nicoblog! http://gbatemp.gukovo.org/ now redirects to other site. They are still doing it for other websites though.

Seems solved!

 

[TeamScriptKiddies]

Just assume its a phishing trap and move on.....

 

[gudenau]

It does not exist for me.

 

[Deleted User]

it's back...can't seem to get rid of it. =/

 

[FAST6191]

Heh that must have been recent as I stumbled across this thread the other day.

Anyway same setup. Domain privacy, couldflare hosted and mirroring/editing, though I did not seen an adfly link this time. No time or desire to do a full workup. If you want to speak to cloudflare again then by all means go for it.

ping gbatemp.gukovo.org
PING gbatemp.gukovo.org (104.27.153.105) 56(84) bytes of data.
64 bytes from 104.27.153.105: icmp_seq=1 ttl=57 time=7.13 ms
64 bytes from 104.27.153.105: icmp_seq=2 ttl=57 time=7.49 ms
^C64 bytes from 104.27.153.105: icmp_seq=3 ttl=57 time=7.82 ms

--- gbatemp.gukovo.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 10081ms
rtt min/avg/max/mdev = 7.136/7.483/7.823/0.289 ms
whois 104.27.153.105

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=104.27.153.105?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       104.16.0.0 - 104.31.255.255
CIDR:           104.16.0.0/12
NetName:        CLOUDFLARENET
NetHandle:      NET-104-16-0-0-1
Parent:         NET104 (NET-104-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS13335
Organization:   CloudFlare, Inc. (CLOUD14)
RegDate:        2014-03-28
Updated:        2015-10-01
Comment:        https://www.cloudflare.com
Ref:            http://whois.arin.net/rest/net/NET-104-16-0-0-1



OrgName:        CloudFlare, Inc.
OrgId:          CLOUD14
Address:        101 Townsend Street
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2010-07-09
Updated:        2015-10-08
Comment:        http://www.cloudflare.com/
Ref:            http://whois.arin.net/rest/org/CLOUD14


OrgNOCHandle: NOC11962-ARIN
OrgNOCName:   NOC
OrgNOCPhone:  +1-650-319-8930 
OrgNOCEmail:  [email protected]
OrgNOCRef:    http://whois.arin.net/rest/poc/NOC11962-ARIN

OrgAbuseHandle: ABUSE2916-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-319-8930 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2916-ARIN

OrgTechHandle: ADMIN2521-ARIN
OrgTechName:   Admin
OrgTechPhone:  +1-650-319-8930 
OrgTechEmail:  [email protected]
OrgTechRef:    http://whois.arin.net/rest/poc/ADMIN2521-ARIN

RTechHandle: ADMIN2521-ARIN
RTechName:   Admin
RTechPhone:  +1-650-319-8930 
RTechEmail:  [email protected]
RTechRef:    http://whois.arin.net/rest/poc/ADMIN2521-ARIN

RAbuseHandle: ABUSE2916-ARIN
RAbuseName:   Abuse
RAbusePhone:  +1-650-319-8930 
RAbuseEmail:  [email protected]
RAbuseRef:    http://whois.arin.net/rest/poc/ABUSE2916-ARIN

RNOCHandle: NOC11962-ARIN
RNOCName:   NOC
RNOCPhone:  +1-650-319-8930 
RNOCEmail:  [email protected]
RNOCRef:    http://whois.arin.net/rest/poc/NOC11962-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


whois gukovo.org
Domain Name: GUKOVO.ORG
Domain ID: D170153720-LROR
WHOIS Server:
Referral URL: http://www.PublicDomainRegistry.com
Updated Date: 2015-12-18T15:17:29Z
Creation Date: 2013-11-12T05:56:32Z
Registry Expiry Date: 2016-11-12T05:56:32Z
Sponsoring Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Sponsoring Registrar IANA ID: 303
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
Registrant ID: PP-SP-001
Registrant Name: Domain Admin
Registrant Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Registrant Street: C/O ID#10760, PO Box 16
Registrant Street: Note - Visit PrivacyProtect.org
Registrant Street: to contact the domain owner/operator
Registrant City: Nobby Beach
Registrant State/Province: Queensland
Registrant Postal Code: QLD 4218
Registrant Country: AU
Registrant Phone: +45.36946676
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: [email protected]
Admin ID: PP-SP-001
Admin Name: Domain Admin
Admin Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Admin Street: C/O ID#10760, PO Box 16
Admin Street: Note - Visit PrivacyProtect.org
Admin Street: to contact the domain owner/operator
Admin City: Nobby Beach
Admin State/Province: Queensland
Admin Postal Code: QLD 4218
Admin Country: AU
Admin Phone: +45.36946676
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: [email protected]
Tech ID: PP-SP-001
Tech Name: Domain Admin
Tech Organization: Privacy Protection Service INC d/b/a PrivacyProtect.org
Tech Street: C/O ID#10760, PO Box 16
Tech Street: Note - Visit PrivacyProtect.org
Tech Street: to contact the domain owner/operator
Tech City: Nobby Beach
Tech State/Province: Queensland
Tech Postal Code: QLD 4218
Tech Country: AU
Tech Phone: +45.36946676
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: [email protected]
Name Server: ANNA.NS.CLOUDFLARE.COM
Name Server: JACK.NS.CLOUDFLARE.COM
DNSSEC: unsigned
>>> Last update of WHOIS database: 2016-01-23T10:32:04Z <<<

"For more information on Whois status codes, please visit https://icann.org/epp"

Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to(a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.