Post by Dunald » Mon Aug 21, 2017 6:58 am

In may a site did this scam but I got that host to shut down that site. Now in august a new site called https://canaryianfo.tk had a live mirror with my content and Google had indexed all my shops images and keywords AND spamwords. If you would click on a Google link you would be redirected to a SPAM/porn site (same as before). was that if I visited the site https://canaryianfo.tk without using Google I would see my site but this time with added spam/porn words. The "View source" (right click" looks identical at my site and the fake sate but the URL is diffrent. I tried to place an order at the scam-site and got a mail that I got an order and the order is also visible in the admin.....

I found out that this is not a Opencart issue. But my host at www.one.com says it is. Or said it was untill I deleted all my OC and installed the webpage tool that one.com use to let me make small websites using my one.com controll panel. I only added one page www.mysite.com/testing.html and that site was also a LIVE mirror of my site, but instead of having the text "This is a testsite from my company" It said "This is "spam" "porn" "spam" a testsite from my company"

Now one.com understands that the scamsite does not have access to my root or database but they say that they can not help me since they don´t know how the scammers is making this LIVE mirror.
The scam site is now suspended by the .tk host since I filed a abuse-report to that host and after 3-4 weeks the scam-site is down but my products and keywords are still indexed with the wrong URL by Google and I get no respons from Google what so ever when I am use "Googel spam report". My listing at Google is now bad since there are now two (suspended) fake-sites with my images and products in the Google search results....

I hope you understand my problems and can anyone help me in this matter? Can I change config.php or index or .htaccess or something to prevent my site to be in a live mirror with diffrent URL? OC1.4.9.3

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by IP_CAM » Mon Aug 21, 2017 8:08 am

Well, you already mentioned your Problems around here before, but by use
of a long outdated OC Version, there won't be many around here anymore,
even beeing able to assist you in any way, I assume.
Good Luck !
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Dunald » Mon Aug 21, 2017 2:58 pm

Well... I thought that this was solved in may since the scamsite senrier.gq now only is a "DNS-not found-page", but probably the host suspended that site and it had nothing to do with me trying to block that sites ip or changing my .htaccess.
This time my host one.com blocked my site since they thought that my large ip-block .htaccess was malware since it was "too large". I had to change all passwords, and they told me to update my OC to the latest version. I did this (3.x) and one.com reopened my site, but the issue was still there. The fake site became my new OC. But then I deleted it all and opened a small single webpage using my one.com controll panel and the fake site became that single webpage....

I know now that this is not a OC problem but rather a internet problem. But since we all use internet maybe someone can help me and other to prevent these scam-sites to making live mirrors of ours sites and using free domains to lure people/customers in to clicking on my product images (with fake URL) in Google search results that leads to Spam/porn. I would be happy to use a new OC, but as I mentioned this did not solve this issue. The scam site senrier.gq still has all my keywords and images in Google search. And Google does not remove these links, probably since they no longer links to spam/porn...

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by Dunald » Fri Aug 25, 2017 5:38 pm

Doesn´t anyone know how to solve this? :-/

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by MrPhil » Fri Aug 25, 2017 9:36 pm

I'm still trying to understand just what's happening. You say the spammer has a "live mirror" of your site -- does a new product show up on his just as soon as you add it to yours? It's under a different domain name, so it doesn't sound like DNS has been hijacked. Some of the order code (forms) sounds like they still have your site in the code, as orders come to you. If a new product shows up immediately, it means the scammer must have something running on your site, or else they are constantly scanning it for changes, in which case you should notice some IP address "camping out" constantly on your site.

I don't know why someone would go through so much trouble to set up a fake site to channel visitors to porn or whatever. It sounds very odd. If it's not under your domain, I don't see what they would gain by impersonating you. Could it be a personal enemy who just wants to harass you? Frankly, it sounds to me like your host is grossly incompetent. If they think a large .htaccess file is malware, and force you to change all your passwords, I would run away from them as fast as I can, and get a good host.

User avatar
Active Member

Posts

Joined
Wed May 10, 2017 11:52 pm

Post by Dunald » Fri Sep 01, 2017 2:02 am

Hi,
If you have a look at site:senrier.gq in Google search results you can see all my productname/description and my company name. Same thing if you visit Google image search. ALL my images (with my company name in it is in Google image but ALL of them have the fake URL.
When the site senrier.gq was online the links from Google was redirected to spam/porn so the customer never saw the fake-site.
Same thing with the latest spam-site www.canaryianfo.tk. If you have a look at the cache of any of the Google links you will see a lot of random spamwords (in swedish and english) along with my keywords and if you choose some of the spam-words and search in Google you will see that my site is just a tip of an iceberg. There is A LOT of sites that has these spamwords and if you visit in Google search yoy might see spam/porn and if you visit the URL you will see a some what messed up site containing these spamwords. That spam-site is the mirror! Have a look and you might find a contact form or a name and then you can find who is the real owner of the real site and find that real site.
See spamword from canaryianfo.tk example: nätdejting mord qualifikation
In google search result: https://www.google.se/search?q=n%C3%A4t ... e&ie=UTF-8
Click on any of the Google links (if you dare) and you probably will be redirected to http://dat1ng.online/?u=nvpk605&o=aw3mz7f&t=land1
If you do not click on the Google search link but instead see that sites cache you will not see porn, only the mirror with the fake URL and the spamwords....

Any help in this matter would be lovely :-)

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by IP_CAM » Fri Sep 01, 2017 11:18 am

As I demonstrated on the Page linked, it's an easy task, to mirror a Site, but
it could also be prevented, in the case, as demonstrated at least, by use of
something like this in the .htaccess file. Just to mention it! ;)
Ernie

Code: Select all

<IfModule mod_headers.c>
Header always set X-FRAME-OPTIONS "DENY"
</IfModule>
<IfModule mod_headers.c>
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
iFrame Master Page Page
viewtopic.php?f=20&t=187101#p683850

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Dunald » Fri Sep 01, 2017 7:16 pm

Thanks I tried this earlier, but I can not say if it is working or not since the fake-sites is down
I saw this on a Github link, does it mean that my images can not be seen on Google search?
---------------
# Keep in mind that while you could send the `X-Frame-Options` header
# for all of your website’s pages, this has the potential downside that
# it forbids even non-malicious framing of your content (e.g.: when
# users visit your website using a Google Image Search results page)
---------------
Also I noticed that I can not add/upload any images in my Admin when X-frame is in "Deny", any idea why?

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by ADD Creative » Fri Sep 01, 2017 8:30 pm

Now the mirror site is no longer up, it seems it just a case of getting Google to remove the fake listings. Some things you could look into that may help you get Google to update their listings.

As the site was using your content and therefore the listings, report it for breach of copyright.
https://support.google.com/legal/answer/3110420

If you have Google Webmaster / Search Console set up, you may be able to request a removal.
https://www.google.com/webmasters/tools/removals

As the site was pretending to be your site and has forms you can fill in, report as a phishing site.
https://safebrowsing.google.com/safebro ... ort_phish/

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Dunald » Mon Sep 11, 2017 10:46 pm

Sorry to say none of the help so far has worked out. Now there is a third mirror site active and this time on one of my other sites. I found out that the mirror site is using Cloudflare and can this be the reason why it did not help to block them using the IP or the domain name or the .htaccess code provided?

<IfModule mod_headers.c>
Header always set X-FRAME-OPTIONS "DENY"
</IfModule>
Makes my sites admin unable to open the "add a picture to a product" so I have # in front of this part.
But even before I put the # in front of it, the mirror site was not affected at all.
I have this:
<IfModule mod_headers.c>
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
But it does not change anything in the new mirror-site.

I asked my Host one.com for help and they gave me a link.....to my own question here......

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by ADD Creative » Tue Sep 12, 2017 10:18 pm

None of that will stop someone scraping your site. If your site can be viewed in web browser then it can be copied. You could try to block by IP addresses or a maybe using a website protection service. The IP addresses may not be the same as the mirror site and they may change IP addresses regularly to prevent being blocked.

Try and look through you web hosting logs to see if you can identify the IP address they are using to scrape you site. Once you have worked out the address and them to the IP block section in your hosting control panel or htaccess. You could maybe block whole regions.

Once you site has been mirrored the only option is to file complaints to the services the mirrors use and the search engines that have indexed the mirror site. https://support.cloudflare.com/hc/en-us ... complaint-
https://support.cloudflare.com/hc/en-us ... complaint-

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Dunald » Tue Sep 12, 2017 10:53 pm

Of course anyone can scrape my site. But the site is not scraped. They have my site in there site but with diffrent url.
This site is using everypart of my site since it is my site but wrong URL. Google now has hundreds of my images in search result that is redirected to spam/porn since this is the fake URL. And my images are gone since I tried hotlink protection....

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by ADD Creative » Tue Sep 12, 2017 10:57 pm

Care to post a link to the your site and the mirror site? Send a private message if you do not want it public.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Dunald » Tue Sep 12, 2017 11:31 pm

I have sent you a PM with the my URL. You can also see it on the logo on the fake-url site.
------------
Hi!
My site is www.------.se and the mirror-site is www.ggsdatha.cf search for site:ggsdatha.cf in Google and you see the links. Click on a link and you will get redirected to spam/porn...

But if you visit www.ggsdatha.cf you see my site but with wrong URL and with added spamwords.

If you buy a "dejta mig nu" I will get a mail saying that you bought "Worksafe Tiger protection glasses", I have tried.....
I tried to block that sites-IP but Cloudflare is using more hidden IP´s so the site can not be stoped that way but then I downloaded all the Ip´s in Sweden "allow from" and "Deny all" for the rest of the world. It looked ok and the mirror-did not work anymore!, "forbidden on this server" but the IP-block was not including all the IP´s so many customers also see this "forbidden" and today Google shut down my sites adwords since the server was not found.
I had added Google-bot IP´s but sorry to say not all of them. Blocking by IP blocks the mirror-site but is giving me even more problems.... If you have a look at the sites you will see that they are the same. If you have any idea how to solve this I would be very happy. :-)

Edit----------------
I can file a abuse-complaint to that host but I want a stand alone solution to these mirror-sites because when I have one mirror shut down by that host another mirror openes, again and again.

It is not a Opencart issue since I have found hundreds of other mirror sites since May that are using the same spamwords. Maybe there are other spamwords in other countries I do not know. But since the sites in swedish all have the same spam words and all there Google links are redirected to the same site the problem does not get smaller......if they can mirror my site they can probably also mirror yours :-/

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by MrPhil » Wed Sep 13, 2017 8:42 am

Did they copy your images and documents, or are they hotlinking to them (fetched from your site)? If hotlinked, you could throw a wrench/spanner into their works by implementing "hotlink protection". Then none of your images will show up. If they went through the trouble of copying everything, that won't do any good.

I'm still trying to wrap my head around why any purveyor of spam and porn would go through the trouble of mirroring someone else's site, especially since it's under a different domain, but apparently this is happening...

User avatar
Active Member

Posts

Joined
Wed May 10, 2017 11:52 pm

Post by Dunald » Wed Sep 13, 2017 3:29 pm

Hi!
No and no and they probably are making money when they redirect traffic to that spam/porn site. Or that spam and porn site is making money when they sell pills or when they are redirecting again to another pornsite... It is ordinary images of ordinary products and the links are with my company name and with my productnames. (this last site has links with added spamwords so they are "better" since you easy can see that they are not the real deal but still the images look alright but has wrong url and is redirected to the spam/porn-site....

I am guessing that they are using something like this: https://www.cyberciti.biz/tips/using-ng ... proxy.html
They have A LOT of mirror-sites with these Swedish spamwords and with mirrors of swedish sites. I have found hundreds and most of them are up and running. The sites that has unique images and/ore unique keywords are the ones that have high SEO-rank in google, they are the ones that people will click on. My first site had unique keyword and was 1-2 on Google search. 3-4 was the fake-site so it happend a lot that customers would click on the fake link since it had my company name, product name and my meta-description. Also I had all my images indexed by google but since I have been trying to prevent hotlinking my images are no longer at Google, but the scam-sites images are still there.... So everything I have done so far is making my SEO/Google ranking even worse......and I sell NOTHING today and have not done so since this summer..... Have to solve this!

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by Dunald » Wed Sep 13, 2017 3:46 pm

Many of these mirror-sites in Sweden has names like "www.theczompany.cf" so they add a letter in the domain but it still looks like the site would belong to www.thecompany.se, the question is why they bother to add that letter since they don´t use .se they are using .ru , .gq, .tk and .ga etc.
I have noticed that many of these domain names does not contain "thecompany" but another one. This makes me believe they first made the mirror by using that company sites IP. And if they change the IP which happens now and then the content of the mirror is changed. So if I would move my site from One.com and instead use any other host I would get a new IP and the content of this mirror www.ggsdatha.cf would no longer be my site, it would change to the site that gets that IP.... There is a site in sweden called www.ggsdata.se and the mirror-site that now is up and running with my site in it is www.ggsdatha.cf.

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by ADD Creative » Wed Sep 13, 2017 7:05 pm

It looks like they are using some sort of reverse proxy. Any requests to the mirror site just get redirected to your site. The response is then use as their output, but with any occurrences of your domain name https://www.------.se replaced with theirs and the extra spam words and links added. You can see this happening if you put your domain https://www.------.se in the search box and search. The result will have your domain replaced with the mirror domain.

A way to find the IP address of the request from the mirror would be to create a .php file on your server with a name you only could know with the following in.

Code: Select all

<?php
echo $_SERVER['REMOTE_ADDR'];
?>
Now go to the file using the mirror's domain. The IP displayed should be what the mirror is using. You can then block this IP. You may find that once they work out the IP is being blocked, they will just use another.

You could try other printing out or logging other $_SERVER variables and compare the difference between a direct request and a request through the mirror. If there is a difference you could maybe use this to detect and block the mirror. Remember that anything with your domain with be replace with theirs, so you may want to do replace before echo.
http://php.net/manual/en/reserved.variables.server.php

You could also try adding some JavaScript to your header to check the hostname and redirect or do something else if it's not correct. They may replace your hostname with theirs, so you may have to split it up ('ww' + 'w.' + '---' + '--.se' etc.) to stop this.

Code: Select all

if (window.location.hostname !== 'www.------.se'){
    window.top.location.href = 'https://www.------.se/'; 
}
This may not be much help as Google may ignore this before indexing and it looks like they detect when the click through has come from Google and redirect without displaying your site's content.

Once a site is mirrored and indexed you still need to block the IP of the mirror, then report the abuse to the search engines, Cloudflare, the domain contact (use whois to find) and the hosting company (if you can find from the IP).

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by Dunald » Thu Sep 14, 2017 7:13 am

ADD Creative wrote:
Wed Sep 13, 2017 7:05 pm
It looks like they are using some sort of reverse proxy. Any requests to the mirror site just get redirected to your site. The response is then use as their output, but with any occurrences of your domain name https://www.------.se replaced with theirs and the extra spam words and links added. You can see this happening if you put your domain https://www.------.se in the search box and search. The result will have your domain replaced with the mirror domain.
I hope you understand how much I appreciate that someone finaly is listening and understanding this issue. Thanks you!
Very clever way to locate the mirrors ip. It made my day, it was difficult to see what IP ,in my Admin report, that was from that mirror and my Host never helped me so I am very happy to now been able to block the correct IP. But since they use cloudflare they might change IP soon. I should file a abuse-complaint to Cloudflare but since they will include my "evidense" to the scammer I do not know if I should report it. Now the scammer only uses a ip but if the scammer knows my URL maybe other attempts can happen.....
For now Google has removed that site from the search results and I have filed a abuse-report to the .cf host. Again, same hosting company every time my sites had mirrors. .tk .cf and .gq That Host never replies to my abuse-report but they shut down the mirror-sites within 4-5 weeks. I have asked them to shut down the person behind this because it is probably the same user that has all of these hundreds of swedish mirror-sites....
You could also try adding some JavaScript to your header to check the hostname and redirect or do something else if it's not correct. They may replace your hostname with theirs, so you may have to split it up ('ww' + 'w.' + '---' + '--.se' etc.) to stop this.

Code: Select all

if (window.location.hostname !== 'www.------.se'){
    window.top.location.href = 'https://www.------.se/'; 
}
Where do I put this code?

And once again, thank you for helping me with this.
Any idea on how to prevent this from happening again?

Active Member

Posts

Joined
Tue Mar 15, 2011 9:05 pm

Post by ADD Creative » Thu Sep 14, 2017 6:08 pm

If you know the IP address now. Do an IP WHOIS. There is usually an address to report abuse to.

You could try adding the JavaScript to your theme's header.tpl in the <head>, just befor any other <script>. You will need something like the following to stop the mirror from replacing your domain. It may not help at all, but worth a try. I've not tested the code.

Code: Select all

<script type="text/javascript"><!--
var host = 'www.' + '--' + '-.' + 'se';

if (window.location.hostname !== host){
	window.top.location.href = 'https://' + host + '/'; 
}
//--></script>
As for stopping it from happening again. I don't know of any certain way to do that.

You could try and see if you can detect the difference between as request from a user or Googlebot and a mirror. As well as looking at $_SERVER['REMOTE_ADDR'] you could look at some of the following to see if there is anything different to a normal request and maybe use that to block.
SERVER_ADDR
SERVER_NAME
SERVER_PROTOCOL
QUERY_STRING
HTTP_ACCEPT
HTTP_ACCEPT_CHARSET
HTTP_ACCEPT_ENCODING
HTTP_ACCEPT_LANGUAGE
HTTP_CONNECTION
HTTP_HOST
HTTP_REFERER
HTTP_USER_AGENT

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: No registered users and 57 guests