http://asuka.com.ru/

Ok, what have they done here? Did they copy the whole website or something?

Please let me know what this is....

It appears they're redirecting to our site, or maybe it's a huge iframe, either way, it's pretty stupid.

Originally posted by LinkDJ
It appears they're redirecting to our site, or maybe it's a huge iframe, either way, it's pretty stupid.

Actually, they copied our database it appears, so we need to figure out what is going on.

Does this mean that it isn't Oleg just using a mirror to test his work for us? That's what I hope it is. Everything other possibility sucks.

Originally posted by flashfire
Does this mean that it isn't Oleg just using a mirror to test his work for us? That's what I hope it is. Everything other possibility sucks.

I taled to Oleg and he has no idea whats going on, this is not his. What can we do about this?

I dont think they copied anything, as they've always got the latest news, which is a sign that they're pulling content off our server, not serving it up themselves.

Don't want to advertise solutions here in the forum because its obvious smeone is watching the site. will Call you later IO abou this

Originally posted by flashfire
Don't want to advertise solutions here in the forum because its obvious smeone is watching the site. will Call you later IO abou this

Thanks man.

THIS IS MY SITE NOW.

Originally posted by the man
THIS IS MY SITE NOW.


NOOOOOO You cannot have it man!!:P

Actually, they copied our database it appears, so we need to figure out what is going on.

No, I don't think they copied your DB. Now, unless you have really shi^H^H^H crappy security policy, they can't rip off your MySQL DB from your server. I'm assuming you have password protected your DB (you did password your DB, didn't you?), they won't be able to access it with a query. Furthermore, I'm assuming you firewalled your server, like port 3306 (you did firewall port 3306, right?), they can't query it from the outside even if they know your PW or you failed to PW-protect it.

I also took a look at the HTML code. This is the meta-tag portion (gee, I hope this display properly in the forum; if not, just view the source code yourself):

META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=ISO-8859-1">
<META HTTP-EQUIV="EXPIRES" CONTENT="0">
<META NAME="RESOURCE-TYPE" CONTENT="DOCUMENT">
<META NAME="DISTRIBUTION" CONTENT="GLOBAL">
<META NAME="AUTHOR" CONTENT="Designtechnica">
<META NAME="COPYRIGHT" CONTENT="Copyright (c) 2001 by Designtechnica">

Noticed they didn't do jack to the copyright notice, or anything else for that matter.

I also noticed that the forum is coded to the forums.designtechnica.com address.

That site is running:

Apache/1.3.26 (Unix) mod_perl/1.26 mod_throttle/2.11 PHP/4.1.0 FrontPage/ 4.0.4.3 mod_ssl/2.8.9 OpenSSL/0.9.6b

Designtechnica is running:

Apache/1.3.26 (Unix) mod_perl/1.26 mod_throttle/2.11 PHP/4.1.0 FrontPage/ 4.0.4.3 mod_ssl/2.8.9 OpenSSL/0.9.6b

If you don't trust me, just head over to Netcraft.

And the kicker, traceroute to asuka.com.ru goto 209.51.157.179
That's also this website's address (just type it in your browser's address line)

There's no I-frame, no hidden tags, no DB copying.

What they did was simply to map asuka.com.ru to your address, 209.51.157.179, in some DNS table somewhere. I mean, I can do that too. Just spend $10 for an address, go to some free DNS provider, and type in 209.51.157.179, and voila, same effect.

Now, as to why they did this, I can't help you. But at least you should know your DB is still secure.

Ruri,

Thanks for all the good info.

Our database is secure and fine. We'd already determined they didn't take the database and the forums are on their own domain and that's being maintained in the urls.

Our banners are still being served and counted as well. :)

At this point, we just need to try tracking down the person doing this and if possible pursue that.

Ultimately, I think we're okay and its an odd form of flattery.

bc

don't worry soon I will take it off your hands

Originally posted by LinkDJ
It appears they're redirecting to our site
It appears that maybe I am good for something.

Originally posted by LinkDJ

It appears that maybe I am good for something.

Do not hold your breath!!!

BTW, did you get the stuff from Xoxide yet?

A friend had a overseas site who wanted to give him a free domain in Brazil or somwhere in South America. I think he had it for a while, but it got to be a pain in the arse. The latency to connect to what ever POS machine down there was just awful. Now my question is exactly how does this work? Does all the data sent from the site have to be routed through were the port redirection is being done from.... hmm lets test it out to see if this is the case .....

Ya I tried it by opening the link and it says that it is transferring from that domain. I wonder if you can block requests to your sever from a specfic domain?

Originally posted by the man
don't worry soon I will take it off your hands

cause you are the man

I asked a friend of mine and here is what he said. Sorry for the chat text ...


irootkitedgod: vindisco
baxtu: ya that's me
baxtu: I kinda don't like the name now
baxtu: I think I should have went with disco_ballz
baxtu: eheh
baxtu: its short for vintage disco
irootkitedgod: all they did was what was quoted /*What they did was simply to map asuka.com.ru to your address, 209.51.157.179, in some DNS table somewhere. I mean, I can do that too. Just spend $10 for an address, go to some free DNS provider, and type in 209.51.157.179, and voila, same effect.

*/ a very easy thing to do. you dont need to prove ownership to add a dns entry. impossable to stop unfortuently. look back at what 2600 was doing with regersting www.****generalmoters.com and pointing it fo www.ford.com
baxtu: hey is / . working for u?
irootkitedgod: yeah a little slow but it is up
baxtu: it is not . ya it wasnt' for me a bit ago
baxtu: weird
baxtu: hmm THAT sucks about domain problems
irootkitedgod: any way any idiot with the funds can pull off that type of hyjinx. unfortunently do the the use of mirrors it is not something that might be solved so easily.
baxtu: u mind if I quote u?
irootkitedgod: you might want to drop a feature request on an apache forum about this problem the developers are very helpfull
irootkitedgod: quote as you like
baxtu: ahh ok .. cool thanks man
irootkitedgod: the problem i see is if you take the source for both sites and byte-code file compare it there is differences. what might actually be happening is a russian firewall (or other firewall) that restricts access to us based sites (((.com .net .gov .us etc...))) and someone wants to read the site so they registered the site to read @ work, school, home
baxtu: ya that could be the issue here also. I am wondering how we can track down this person that owns the domain. For instance where can you go and try to find a whois for a .ru domain ? I tried a couple of sites and all they listed where US domains ..
irootkitedgod: already on top of it

Ok I have more good stuff for you guys ... here is the whois for the site. The normal methods that I tried did not work. I had to pull an extra special favor to get the info.

:) :P

----

% NOTE:
% Use of any automated high volume processes that
% apply to the RIPN Whois Service is prohibited.


domain: ASUKA.COM.RU
type: CORPORATE
descr: Corporate domain for
descr: Jian Services
admin-o: JIAN1-ORG-RIPN
nserver: ns1.zoneedit.com.
nserver: ns3.zoneedit.com.
created: 2002.06.19
state: Delegated
changed: 2002.06.21
mnt-by: JIAN1-MNT-RIPN
source: RIPN


org: JIAN SERVICES
nic-hdl: JIAN1-ORG-RIPN
admin-c: AUS13-RIPN
bill-c: AUS13-RIPN
phone: +61 407 698 224
fax-no: +61 8 9439 2460
e-mail: dns@dnsau.com.ru
changed: 2002.06.13
mnt-by: JIAN1-MNT-RIPN
state: RIPN NCC check completed OK
source: RIPN


person: JOHN T FOX
nic-hdl: AUS13-RIPN
address: Domain Name Services
address: P.O. BOX 158
address: KWINANA, 6966, AUSTRALIA.
phone: +61 407 698 224
fax-no: +61 8 9439 2460
e-mail: dns@dnsau.com.ru
changed: 2001.10.23
mnt-by: AUSTRAL-MNT-RIPN
source: RIPN

-------

Who wants to make a call to Aussie Land ?

HAHAHAHAHAHAHAHHAHAAH that's all i can say
please give me a call. . i would love to chat!

all it is is a redirect from what I can tell. There is no way the person copied the db, especially since the site is an exact mirror, including all the latest info. :) its more a form of flattery I think.. LOL

Originally posted by the man
HAHAHAHAHAHAHAHHAHAAH that's all i can say
please give me a call. . i would love to chat!

Who are you? Are you the guy that is mirroring our site from Australia?

Originally posted by Ioman


Who are you? Are you the guy that is mirroring our site from Australia?

Hey Io read the above post by 'the man' he says


THIS IS MY SITE NOW.


I think this answers your question....

THIS IS MY SITE NOW.

don't worry soon I will take it off your hands

HAHAHAHAHAHAHAHHAHAAH that's all i can say
please give me a call. . i would love to chat!

1. He's not mirroring, he's redirecting
2. If he's as smaert as his posts suggest, we've got nothing to worry about

1. He's not mirroring, he's redirecting

It would be nice for him to explain himself more. A quick email to Ioman before he went and did his sneaky DNS trick would have been nice. Then at least we wouldn't have been worried about security. It is a wrong thing to do and without notification makes it even worse. Don't try and get this guy off the hook!

The offending site asuka.com.ru will no longer be poaching this website as it has been taken off its present nameservers, this will be effective by 0100 hrs GMT 10/9/2002. I do apologise for this transgression and will be contacting the user of this domain name. If this happens again please contact thru the website.

John Fox
Domain Name Services
http://www.dnsau.com.ru/

wow..thats nice of him. he even posted to the forums!

Wow, well at least that guy had good taste in DNS services. It's not often you get service like that. Thanks.

Originally posted by dnsau
The offending site asuka.com.ru will no longer be poaching this website as it has been taken off its present nameservers, this will be effective by 0100 hrs GMT 10/9/2002. I do apologise for this transgression and will be contacting the user of this domain name. If this happens again please contact thru the website.

John Fox
Domain Name Services
http://www.dnsau.com.ru/

Thanks John for the excellent service!

--

Do you guys think that I should take over the user name? I think I can change the his password. I wonder if I can also ban his IP. This might be a bit extreme, since we have gotten the problem sovled.