Post by Dunald » Mon May 29, 2017 5:26 pm

Hi!
I need to make < base href = " < ? php echo $ base ; ? > " /> in my header become my sites URL. Everytime and allways.

The php echo in header.tpl makes this my sites URL when I visit my site but my problem is that another site is making a mirror-site out of my site and somehow pointing the php echo to that false URL making every link on there site having their URL in it with links to my products and images. Instead of www.mysite.com/myproductpage it is www.fakesite.com/myproductpage. But it is stil my site, place a order and I get a order. The problem is that they only link to this site in Google search and when following the link with my company name and productname you se porn!
I noticed that my sales droped and customers asked me if my site was hacked. My host say my site is clean of malware and that this other site probably is using an invisible frame with my site in it. They can not help me....

If I am able to write http://www.mysite . com in the php echo instead of letting the php echo fetch this from somewhere else. I think I would be able to stop this fake site from using my site for clickbait.

I have been searching this forum and google and youtube for the last week to find an answer, does anyone have any idea how to force the base url to be my sites url and no other? Or any other way to prevent a live-frame mirror of my site?
I use an old 1.4.9.3 OC and was happy with this since my ranking at Google is really high, many of my produts are top 3 at Google. No 4 is the fake site that uses my company name and the name of my products, it is easy to click the wrong link....

Is there a easy way to find out what IPs are visiting my OC 1.4.9.3 shop? Maybe I can block the IP that is visible when the fake site is using that mirror in the site. My host say they can not help me and that there is no logs with Ip numbers.

The "funny" thing about this is that I probably can verify this fake site as my own at Google webmaster tools because if I but the verification code in my www.mysite.com/verificationcode it is also visible at www.fakesite.com/verificationcode. Then I might be ably to
temporarily block access to the search results in Google search (for 90 days at a time) But that is my last resort, I do not want Google to think that I own spamsites and I want to solve this and prevent it from happen again.

I do think that it is a OC issue since the header that I see when visiting the fake site (not using Google search) are identical to my my header with the only difference that the base URL is diffrent.

Can I somehow use my base URL that is not generated from somewhere but instead that I use my site URL permanent at the php echo?

Thanks
Last edited by Dunald on Thu Aug 17, 2017 3:42 am, edited 2 times in total.

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by uksitebuilder » Mon May 29, 2017 6:39 pm

If they are using your site within a frame, you can get your host to set the HTTP Header Field X-Frame-Options to sameorigin

This will stop anyone putting your site inside a frame

ImageImageImageImageImage

For Friendly Professional Support - Click Here


User avatar
Guru Member

Posts

Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom

Post by Dunald » Tue May 30, 2017 7:39 am

Thanks;

I did try this the other day in my .htaccess but that did not work:
<IfModule mod_headers.c>
Header set X-Frame-Options DENY
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset X-Frame-Options
</FilesMatch>
</IfModule>

I then talked to my host and they told me to only put this in my .htaccess (intead of the other longer one) : Header set X-Frame-Options SAMEORIGIN

But the site http://senrier.gq/ is still using my site in the frame.

Because it is a frame or how can they show my site using their Url?

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by Dunald » Tue May 30, 2017 7:55 am

If I go to that fake site and look at the View-source I can see this:
<head>
<meta name="google-site-verification" content="MY GOOGLE VERIFICATION CODE!" />
<title>MY COMPANY NAME</title>
<meta name="description" content="MY DESCRIPTION OF MY SITE" />
<base href="https://senrier.gq/" />
<link href="https://senrier.gq/image/data/favicon1516.png" rel="icon" />
<link rel="stylesheet" type="text/css" href="catalog/view/theme/default/stylesheet/stylesheet.css" />
----
Every link/url that was www.mysite.com is now www.fake-site.com and if I edit a product and add www.mysite.com to the description of that product it looks like www.mysite.com but the link goes to www.fake-site.com instead. Still, it is my site and if I make a order using the fake site I get a order in my sites Admin and a mail.

My main issue is that every product, every description and now every picture from this fake site now is on Google search and my customers that click a link with my products name and my company name (but fake-site url) does not come to the mirro-site / fake site, instead a script at https://senrier.gq opens another spam-site in a frame and that spam-site is porn and spam... I have told Google this but as I said the links are still there and the fake-site is still having my site in their site...

Any other ideas how to solve this would be higly appreciated, my idea was to make the < base href = " < ? php echo $ base ; ? > " /> in my header become my sites URL by force so that no other site can use their URL. But I do not know if this can be done ore how, I only want to prevent the fake site or any other spamsites to have access to my site in their URL.

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by IP_CAM » Tue May 30, 2017 8:04 am

just to mention is, this here will probably not function as it should, by use of 3 slashes in row !
Ernie
Last edited by IP_CAM on Thu Nov 09, 2017 8:48 pm, edited 1 time in total.

Ernie's OpenCart v.1.5.6.5 LIGHT + OpenShop Admin v.1.75 Test Sites
http://www.ebikes.li - http://www.evelo.li - http://www.openshop.li
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by uksitebuilder » Tue May 30, 2017 3:20 pm

Well, taking a look at their URL now that you have posted it, they are not using an frame.

What they might be doing is scraping your site.

Please see the following URL which may be of help in stopping them. You can contact Google and issue a DCMA takedown with them to remove any pages they have copied

https://blog.sucuri.net/2016/04/cloned- ... -serp.html

ImageImageImageImageImage

For Friendly Professional Support - Click Here


User avatar
Guru Member

Posts

Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom

Post by Dunald » Tue May 30, 2017 10:35 pm

Thanks for your answers.
Ernie/IP_CAM : href="https:/// is from the source-view when I visit my site or the fake site. OC 1.4.9.3

uksitebuilder : Thanks for the link, I allready seen this and this is part two of my problem. They use my products and links. But my first problem is that the site is able to access my site and putting my site at their site with wrong URL.

The fake URL site is not scraped.

Everything I do at my site is done at the fake site. If I delete a product it is deleted in fake store, if I add product the fake site has that product same time I press save-button. If someone is making a order at the fake-url site I get a orderconf-mail. If I add a file in my FTP and visit that file using www.fake-site/new-file I see my new file.
It IS my shop but only with wrong url.

Can they use a script to mirror my site? How can they put my site in their site if it is not a frame?
If this can happen to me it might happen to anyone, how can I stop this from happening and how can we prevent this to happen to anyone else?
Last edited by Dunald on Thu Jun 08, 2017 8:35 pm, edited 1 time in total.

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by MrPhil » Tue May 30, 2017 10:51 pm

If they're under a different domain name, yet linking to your content, have you tried hotlink protection? Normally this is used for just images, but you can modify it to block all access from the fake site:

Code: Select all

RewriteEngine On
# whitelist of sites ALLOWED to access your content
RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOURSITE\.com(/)?.*$     [NC]
# add more RewriteConds with other sites (domains) you want to access content
RewriteRule ^  - [F,NC]
This works for Apache servers, and may have to be modified for other servers.

Now, note that if the other site is actually including your entire site via an iframe (or frame?), the HTTP_REFERER may still be your site, not the fake site (and thus this won't work). But, it's simple and may be worth a try.

Active Member

Posts

Joined
Wed May 10, 2017 11:52 pm

Post by Dunald » Wed May 31, 2017 7:46 am

Hi MrPhil I tried your code adding my site in the url (correct?) but it did not work.
Please have a look at the fake site www.senrier.gq and you will see my entire site (no spam or porn as this is my site). The spam/porn is a Google issue and even if it is a big problem I have filed a complaint to Gooogle and hope they remove this links soon.
If you look at the "view-source" you will find:
<meta name="google-site-verification" content="My Google verifikation code" />
<title>My Company name</title>
<meta name="description" content="My store description" />
<base href="https:///senrier.gq/" />
<link href="https:///senrier.gq/image/data/favicon1516.png" rel="icon" />
<link rel="stylesheet" type="text/css" href="catalog/view/theme/default/stylesheet/stylesheet.css" />

etc etc every URL in the source that should have www.mysite.se in it has the fake URL instead.

If you would visit my site it would look the same but with my URL instead of senrier.gq

The issue might be the opposit of hotlinks since a hotlink is in a "www.bad-site.com" and having links to "www.my-site.com" but the issue here is that there are no links to my site from www.senrier.gq. Even if I add a link in a product description that says www.my-site.com it looks like www.my-site.com but when you look at the "View-source" the link is not pointing to my site it is pointing to www.senrier.gq......

If they don´t use a frame and they do not link to my site from their site how can I solve this?

I need to prevent this other URL to use my header.tpl <base href="<?php echo $base; ?>" />
because that is what they use to enable <base href="https:///senrier.gq/" />

Can I somehow force the php echo $base to be MySite.se/ and no other site, where does OC fetch this? Can I change something to prevent other sites to access this file?
Any ideas?
If this happens to me it can happen to all OC shops, or can it not?

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by MrPhil » Wed May 31, 2017 8:56 am

I can't even see your site (kon....se) -- just a blank page. Did you restore any changes you made to .htaccess, etc.? The only thing visible is a different favicon than used on the senrier.gq site.

There are two links to kon....se on senrier.gq, both in the footer. One opens your site in a window.

This senrier.gq is in Equatorial Guinea (Africa). What might they be gaining by showing your site? Is it possible that either your DNS entry has been hijacked/swapped without your knowledge, or for some other reason this other domain points to your site? You might want to check your domain registration to see if something odd is going on. I see that you have a Swedish domain with your server in Denmark.

Active Member

Posts

Joined
Wed May 10, 2017 11:52 pm

Post by Dunald » Wed May 31, 2017 4:26 pm

Hello again MrPhil, that link to the "white" site is a link to another site. I had wrong name in that site config.php after I edit that file, thanks I had not noticed that that site was not working. My site is www.dem(look at the store logo at www.senrer.com) .se
This is true, the senrier.gq has links to www.kon....se and that is also another of my sites. But all the links to my site www.dem...se are gone and replaced with www.senrier.gq

I have not got any clue on why my site is target for this fake site. I have many high rank search results in Google search but my site and company are small.
They do not seem to use the www.senrier.gq to any other thing than steal the google search result and linking this to porn/spam.

Maybe my computer got a malware and copying my login to sites and ftp, I got an malwar-warning two month ago when I downloaded paint.net and probably downloaded that from a hoax downloading site. I have searched for malware+paint.net and it seems to be a common Malware problem with Paint.net. I did a search with my Avast anti virus scan and my computer was clean but maybe it was not.
If I have a Trojan or hidden malware perhaps that can explain all the strange things that is happening here at this www.dem-------.se site and also that I got a "wrong password" message when I the other day was working using my ftp on one site but the message was regarding another site. Also I get a message at my controllpanel at my host that told me to sign up if I want my host to host my sites.... but they allready do and the support say that everything s ok and that they do not know why I got that message.

I now use another computer and has changed FTP password on my sites. Will probably change a lot of passwors today.....
And also do a complete restore on my computer even if I do not have any Malware warnings when I scan that computer.

But back to this issue:
My host say that my site is not comprimsed but can someone with access do something to my site that is making my site show my site in another URL?
Can another URL access my site 100% if they have/had access to my FTP?
Where would that file be located if this is the case? Root or maybe in system/catalog/admin etc?

I have deleted everything in the root that was old and not in use, and I can not see any new files in the root.

I have no proof of someone accessing my site but something is wrong and I have to find out what since this site is 80% of my income....

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by Dunald » Thu Jun 01, 2017 7:31 pm

HAPPY! and confused....

I found a .txt-file in my root called fsga1147 and tried to open it using a text-editor but it was only strange signs and numbers, took a copy and deleted it from the root. I deleted system-cache and error-log. But the scam-site was still there.

Today when I visited the scam-site www.senrier.gq is gone. DNS not found.
Why is it gone? I do not know.

Was it something I did in my root, or did the host of senrier.gq do what I asked them to do, shut down the scam-site.

Anyway, my site is hopefully secure, using no frame and no hotlinking code in .htaccess. Changed all passwords at ftp, mail, host, database. Had a xxxxxxx long password, now I have xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx long :-)
Disabled the ftp in my host controllpanel so if I need to edit something in the ftp I have to enable it using the controllpanel again making it harder for someone to access my ftp. Will not use ftp, only sftp in the future. Now I have a LONG blocklist in my .htaccess with ip:s and hosts and countries that I do not need to visit my shop and I also made a LONG robots.txt file and now I have google verificationcode in two diffrent loctations instead of only in the root.
Made a clean restore on my computer and will only install from wellknown safe sources in the future. Have made settings in Google so that I will get a email if someone is using some of my serch-words or company name.

The links in Google are still there but harmless, for now. I hope they will stay harmless and that Google removes them any time soon.

Thanks for your help even If I do not know what helped me to solve this in this matter ;-)

-----

Edit: I noticed that I can not upload any pictures to my store when I have the hotlink-protection in the .htaccess, had to disable that one to be able to add new images, to bad but maybe I can comment out that hotlink-protection when I need to ad a new product and then add it again.

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by Dunald » Thu Aug 17, 2017 3:59 am

Not happy. A new site called https://canaryianfo.tk now had a live mirror with my content and Google had indexed all my shops images and keywords AND spamwords. If you would click on a Google link you would be redirected to a SPAM/porn site (same as before). Also same as before was that if I visited the site https://canaryianfo.tk without using Google I would see my site but this time with added spam/porn words. The "View source" (right click" looks identical at my site and the fake sate but the URL is diffrent. I tried to place an order at the scam-site and got a mail that I got an order and the order is also visible in the admin.....

I found out that this is not a Opencart issue. But my host at www.one.com says it is. Or said it was untill I deleted all my OC and installed the webpage tool that one.com use to let me make small websites using my one.com controll panel. I only added one page www.mysite.com/testing.html and that site was also a LIVE mirror of my site, but instead of having the text "This is a testsite from my company" It said "This is "spam" "porn" "spam" a testsite from my company"

Now one.com understands that the scamsite does not have access to my root or database but they say that they can not help me since they don´t know how the scammers is making this LIVE mirror.
Can anyone help me?

I filed a abuse-report to that host and after 3-4 weeks the scam-site is down but my products and keywords are still indexed with the wrong URL by Google and I get no respons from Google what so ever when I am use "Googel spam report". My listing at Google is now bad since there are now two (suspended) fake-sites with my images and products in the Google search results....

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by Dunald » Thu Nov 09, 2017 7:38 pm

Ernie, could you perhaps remove or edit the answer you made the Tue May 30, 2017 8:04 am?
My company name is in that answer and a weird site called www.wristworlds.info has made copies / mirrors of sites like this opencart forum and has this thread in their site. When I searched for my company on google I saw a link to that site but with the content of this forum/thread.
If it is a live mirror (looks like a frame) pehaps my company name will be gone if you edit your answer.
Have a look at google search results: site:wristworlds.info opencart
- edit I see now that that site has a "Bad Request (Invalid Hostname)" but please edit that post anyway.

Thanks

If anyone is wondering about the issue with the fake sites that has made mirrors of my site the problem is kind of still there and somewhat resolved.
The first site www.senrier.gq is gone but my site still has no images left on Google search results and many many of the Google search links with my company name and products has the wrong/fake-site URL.
Probably since Google think that that fake-site is/was the same site as my site....
If I remove outdated content in Google (the images to the fake site) Google also removes my images!!
Since I have removed 1250 outdated images from the fake-site results also my 1250 images is gone.

If I add a new image to my site, Google ad the same image to the searchresults for the fake site but not everytime image search results for my site!
I searched for my new images and was happy to see them in Google image search results, but when I clicked on the image I came to the fake (and empty) site, my new images was not in Google image search results.
If I remove a fake-site image in the remove outdated images in Google and my image also disappear, when Google ad my image again after a couple of weeks Google also ad the same image but with the fake-site url.
Google is using my sites new images, the image source is my image at my site, but the link in Google image is the link to the fake-site.
But since the fake site is gone the customers does not visit any site only a "DNS not found-page". But my customers might think that it is my site that is not working because the images has my waterstamp/logo and is images of my products, so I do not like Google now....

I have now a new site (but sorry to say without my company name) with search results in Google images and Google search, gave up the idea to make Google understand that the scamsite is not my site....

The scamers is using .ga .tk .cf and .gq all Freenom sites.
One of the mirror sites that was gone after I complained to the Abuse at Freenom is back again, but this time with my site AND another site depending on when you visit the site. My site is visible one out of maybe 10 times and the other site is a "Meet girls in your area"-site.
I have made several new complaint to that .tk host but they are not replying to my mail at all and are not removing that scam-site, maybe it is Freenom that now is making money on this site since it has a lot of commercial banners in it.
The links to my site in that mirror is old and without images (not updated since I blocked that sites access to my site) but since the links has scam/porn-words and my company name and my product names my seo is affected.

I have now found at least 250 mirror-sites (BIG sites and small sites) using .ga .tk .cf and .gq all Freenom sites, here in Sweden but I can not see that anyone but me has noticed this problem or at least no one is talking about it online in Sweden and my host one.com says it is not a problem that they heard about before.
I have sent email to a couple of the real site owners but no one has replied and more and more images and search results in Google search results here in Sweden is redirecting to spam and porn.

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by IP_CAM » Fri Nov 10, 2017 2:39 am

done !

Ernie's OpenCart v.1.5.6.5 LIGHT + OpenShop Admin v.1.75 Test Sites
http://www.ebikes.li - http://www.evelo.li - http://www.openshop.li
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland
Who is online

Users browsing this forum: Bing [Bot] and 78 guests