Stop someone pointing cname to domain

baldidiot said:
This is a weird one, we've just noticed that someone has been pointing a domain at one of our sites for the last four years. It looks like they're just doing it via a cname on cloudflare pointed to the domain, rather than pointing to the server (as we only allow access via the main domain, plus we changed server IP at one point).
Click to expand...
What made you look into it in the first place? Was it affecting your site, SEO etc or just something your searched to check?

It's a strange one for sure
 
GreyWing said:
What made you look into it in the first place? Was it affecting your site, SEO etc or just something your searched to check?

It's a strange one for sure
Click to expand...

We received a message through a contact form we have on the site but the URL listed in the message was the alternate domain (the contact form is just an iframe widget which is why it worked).

This led to a "wait, what's that?" and then a pandoras box of headaches :LOL:
 
baldidiot said:
We received a message through a contact form we have on the site but the URL listed in the message was the alternate domain (the contact form is just an iframe widget which is why it worked).

This led to a "wait, what's that?" and then a pandoras box of headaches :LOL:
Click to expand...
haha, my sympathies mate, I share your pain on that one. I've clocked up a few miles in the rabbit holes too.
 
Just wanted to follow up with some our findings and how we resolved it, in case anyone else finds themselves in the same situation.

With help from Hook and username, we discovered that it wasn't a simple cname. They were scraping the site and creating a cached copy on their server, whilst also slightly modifying it.

New pages were loaded on demand and old ones refreshed once the cache expired (the fact that the new pages were showing immediately was one of the things that made me initially think it wasn't a simple scrape job).

There was also some javascript added to show adverts for an asian casino, although they weren't showing for us, so I'm guessing they were limited to specific types of user. I'm not really sure where they were planning on getting traffic from, but at least now we know the reason behind it.

We located their IP by trying to load a URL that doesn't on our site. This then showed up as a very obvious entry in our server logs (eg: "/here-is-the-ip-of-the-bot/") so I blocked the IP and new pages immediately stopped loading on the other site.

It took a while for the cache to expire, but now it has, the entire site is down. So problem (temporarily) solved.

Obviously they could just change the IP and start again, but for now their site isn't working, at least.
 
If they'd made even a few $ they'll be back with new ips or hiding behind a cdn soon enough :(
 
baldidiot said:
Just wanted to follow up with some our findings and how we resolved it, in case anyone else finds themselves in the same situation.

With help from Hook and username, we discovered that it wasn't a simple cname. They were scraping the site and creating a cached copy on their server, whilst also slightly modifying it.

New pages were loaded on demand and old ones refreshed once the cache expired (the fact that the new pages were showing immediately was one of the things that made me initially think it wasn't a simple scrape job).

There was also some javascript added to show adverts for an asian casino, although they weren't showing for us, so I'm guessing they were limited to specific types of user. I'm not really sure where they were planning on getting traffic from, but at least now we know the reason behind it.

We located their IP by trying to load a URL that doesn't on our site. This then showed up as a very obvious entry in our server logs (eg: "/here-is-the-ip-of-the-bot/") so I blocked the IP and new pages immediately stopped loading on the other site.

It took a while for the cache to expire, but now it has, the entire site is down. So problem (temporarily) solved.

Obviously they could just change the IP and start again, but for now their site isn't working, at least.
Click to expand...
Wow. There must be some sort of protection against this?

Get behind Cloudflare? Reverse content hijacking, and sounds like a pretty nasty case.

Leave a couple of honeypots about and just start banning IP’s that access it.
 
We're already using cloudflare, didn't really help in this scenario.

And yeah, now we know that blocking their IP solves it we'll be pinging their site on urls that don't exist and blocking any IP that visits it.
 
Surely you could do something more inventive than just blocking the IP? You could add it to a blacklist that serves an alternative page with a 'friendly' message on it.
 
Colin said:
Surely you could do something more inventive than just blocking the IP? You could add it to a blacklist that serves an alternative page with a 'friendly' message on it.
Click to expand...
I’m in favour
 
Colin said:
Surely you could do something more inventive than just blocking the IP? You could add it to a blacklist that serves an alternative page with a 'friendly' message on it.
Click to expand...

Ha, yeah, this has been discussed :LOL:
 
You must log in or register to reply here.
Back
Top