[SOLVED]Site copied and hacked by chinese company

[phantomeye]

Hi Guys,

Im absolutely stunned by seeing this and would like some feedback and ideas of how to stop this guy.

My site is www.swimmingpoolguru.com, was doing a google search of swimmingpoolguru and the 6th link was a site called www.aidaoba.com . When i checked it, i found this was my site, completely copied and reflecting the changes i made 3 days ago. He has even copied my telephone numbers, my company name, my links EVERYTHING !!!!

I contacted godaddy and they said that they cannot do anything, i did a whois check and found a company called Xin Net technology that registered the domain. I have contacted their hosting company and am waiting to hear from them.

In the mean time, using firefox/help/reportwebforgery, i have reported this site as a phishing site to google.

Thanks and looking foward to your feedback.

[phantomeye]

Further research into the company Xin net technology and they are a known scam company with over 500 active sites and hundreds that have been shut down.

The company lures customers into purchasing products and then tell customers that the product is not available and their paypal account has been frozen, so cannot return the money.

[21846657]

Hi there,

Sorry to see this disgusting thing from my dear country. But I have to correct that Xin net technology company (www.xinnet.com) is just an ISP like Godaddy. To find out the guy who did this behind Xin net, just simply do a whois check with that domain.

Now I would leave my suggestion here: you may want to email CNNIC (China Internet Network Information Center) about this issue. The email address of the complaints office CNNIC: [email protected]

Try to provide the necessary infos, they may help you out.

Good luck and best wishes from a Chinese fan of prestashop!

[phantomeye]

Hi "21846657"
Thank you for your post; First off, let me apologize if in anyway my post seemed like it was against china or its people. I have the nothing but respect for the chinese people.

I have taken your advise and have emailed the address you provided and am hoping for an answer.

I google Xin Net Technology, finding many links with reports of scams from companies listed by them. I was also surprised that the domain registered user information was not provided and that someone was able to register a domain without disclosing their information.

Here is a snippet from PC world in 2009 "Xin Net came in at the top spot on a list of the most abused registrars released earlier this year by KnujOn, an organization dedicated to fighting spam. It garnered the same rank last year.
From June 2008 through February, KnujOn said it found 34,283 illicit domains linked to Xin Net, covering unregulated prescription drugs, pirate software and counterfeit consumer goods."

Anyway i digress. What i really do not understand is how are they able to reflect my website changes immediately. I am assuming they have hacked into my site and are mirroring my changes immediately. I was also reading about how FireFTP can compromise your username and passwords, but cannot confirm this.

Once again, thank you for your mail and i really hope we can figure this out.

[enigma32]

You're wrong, there *IS* registrant info, but we all know how worthless that is anyhow

Domain Name : aidaoba.com
PunnyCode : AIDAOBA.COM
Creation Date : 2009-09-14 14:11:47
Updated Date : 2009-09-14 14:11:47
Expiration Date : 2010-09-14 14:11:44


Registrant:
Organization : zhao jianzheng
Name : zhaojianzheng
Address : shandong province,rizhao city
City : rizhao
Province/State : Shandong
Country : cn
Postal Code : 276826

Administrative Contact:
Name : zhaojianzheng
Organization : zhaojianzheng
Address : shandong province,rizhao city
City : rizhao
Province/State : Shandong
Country : cn
Postal Code : 276826
Phone Number : 86-633-8980900
Fax : 86-633-8980900
Email : [email protected]

Technical Contact:
Name : zhaojianzheng
Organization : zhaojianzheng
Address : shandong province,rizhao city
City : rizhao
Province/State : Shandong
Country : cn
Postal Code : 276826
Phone Number : 86-633-8980900
Fax : 86-633-8980900
Email : [email protected]

Billing Contact:
Name : zhaojianzheng
Organization : zhaojianzheng
Address : shandong province,rizhao city
City : rizhao
Province/State : Shandong
Country : cn
Postal Code : 276826
Phone Number : 86-633-8980900
Fax : 86-633-8980900
Email : [email protected]

Here's the thing.. copying your site design is one thing, but he's actually got a fully functional clone of your presta store and database? Yea, you've been compromised, and I would find out how it happened immediately. Contant verio and inform them of the situation and that the server logs need to be reviewed asap to see how it was done. Most likely done from an account on the same shared server as your site.

[enigma32]

Regarding "FireFTP", never used it, but I'm assuming your not tunneling through SSH or SSL. In that case it doesnt matter what client software you use, your authentication information is in plain text. In such a scenario one would simply have a packet sniffer set up somewhere in between and catch your authentication info.

Again, my first fear would be another account on the shared server. Are your files all set to default settings, possibly allowing other users to simply read your config files and gain access to all your files and DB login?

And, again, access logs will reveal this. Whatever access logs are available to you, start sifting through them right now, and get your hosting company to assist you.

also, xinnet is the host not the registrar. The registrar is paycenter. Both are chinese and unlikely to really give a damn, but you could try serving them both fake cease and desist letters to see if they'll respond to that, I got templates for my, um "law firm" that will represent you *ahem*

[21846657]

Hi phantomeye,

I think I could understand your situation. That's why I suggest to contact the official investigation department to pin it down at the very source. 'Cause they (that guy, Xin Net or whatsoever) have done it and will continue doing it (I mean, mirroring your site or others) NO MATTER WHAT you can do to protect your site at your end. Anyway there are 2 ways, I think, we can do to "slow it down":
1. Protect your personal infos inside your PC against virus, trojan and spyware, and change the passwords aperiodically.
2. Install a module named ipblock, or use .htaccess to block any IPs from any suspicious addresses. If you have no clue, try Google ;-)

As for Xin Net, I cannot leave any comments on this company since I never use a Chinese domain registrar before and forward. It's my first time to hear of those reports you quoted. How SHAME should they be! But they feel better in China. OMG. Ridiculous.

Please keep it posted. Hopefully it will lead some clues to presta fans.

[phantomeye]

Guys, thank you very much for your responses.

@Enigma32, thanks for the registration info, will send them an email (although i do believe that it may be dummy information), its worth a shot and i certainly will send it from my "ahem Lawyers office"

You have brought up a great point in the shared server and the ability to copy my settings. I followed the normal setup process from Prestashop's installation guide and hence whatever the CHMOD settings they require, i have set. I would be interested and im sure the whole community of newbie prestashoppers should know the secure settings of CHMOD, post installation, that needs to be set. Will also RTFF to see if they are already posted.

I contacted godaddy after reading your message about the server logs (i host with them) and they are going to get back to me. Their first line of tech support is as oblivious as i am to this.

@21846657, have run spybot, adaware, malaware bytes & avast and cleaned the crap outta my system. Did find one Trojan, not sure if that was the problem. Will also change all my ftp usernames and passwords and database usernames and passwords. I also believe that Enigma32 is right about being hacked into at the shared server.

Cheers people, will keep you posted on the developments.

[phantomeye]

1) Godaddy says they are checking into it, the first line technician says he's positive the site has not been hacked, but they are pointing to my IP address. (this maybe true, but i doubt the site has not been compromised)

2) I checked the access logs and found another site www.blog.yiluo.net that is doing the same, also hosted by Xin Net Technology and Registered with Paycenter.

What the heck, the scary part is i did not know about this new site until i looked at the access logs. I am going to look at my other sites access logs to ensure this is not happening there to.

@enigma32, i see the access logs, how do i identify the file that is corrupted and what is the next steps. I was also wondering, what if i enter their websites into my robots.txt file. Will that block them. They seem to be accessing that too.

The mystery unfolds !!!
Despite it being a horrible set back, with the power of the community, im confident this will be solved.

[phantomeye]

Guys once again thank you for helping out. So this is what i found out:

1) The company had used a reverse mod_proxy to point their site to mine.
2) They also had their domain pointed at my ip address

To solve this, i had to use canonical hostname to force my sites domain name for all requests. Deny all IP address requests from "china" and the problem sites. And Finally hide my .htaccess file.

For now any and all requests going to my site, comes back to my site.

Here are the links to all my research:
1) block chinese ip - http://www.wizcrafts.net/chinese-blocklist.html
2) Canonical hostname redirect - http://httpd.apache.org/docs/2.2/rewrite/rewrite_guide.html
3) block ip address - http://httpd.apache.org/docs/2.2/howto/access.html

The last thing i need to do is check all the CHMOD permissions, to ensure that there is nothing unsafe to be hacked again. Would really appreciate if the Mod or someone could place the CHMOD permission settings to be applied after installation.

Cheers

[Joachim Tranberg]

The last thing i need to do is check all the CHMOD permissions, to ensure that there is nothing unsafe to be hacked again. Would really appreciate if the Mod or someone could place the CHMOD permission settings to be applied after installation.

Thanks for the information.

How should the CHMOD permissions be set on the FTP ?

[enigma32]

would've helped if the forum emailed that there were replies to this thread..

Yea, I forgot to mention that when i went to actually put something in the cart and checkout it was using your paypal

my assumption would be allow orders to legitimately get passed along to you but harvest credit card and paypal info's as a middle man. In the aftermath customers would of course blame you for stealing or "leaking" their cards.

[Guest]

Well, I have the same problem although I am a Chinese too. I don't know how to prevent this happen.
You are lucky, only one site copy yours.
what I have there are 4 other domain points to my SITE......
I will try your method mentioned above.
Hope that will work!

[Guest]

I have use the Canonical hostname redirect which let all the other domain redirect to my site in the HTACCESS file.
It works for me very well.

[LocumRex]

Thanks for the information. My site has now been cloned by these guys. Looks like they have moved on but are still up to no good.

We turned on our site on Wednesday and by Sunday they had cloned our entire site. Fortunately we had SSL that flagged visitors and were able to react fast enough to redirect any traffic. We also used some hints we found here.

Unfortunately, because of our SEO that they copied, GOOGLE bots crawled them immediately and they now appear in the search results for our products. The unholy irony is that they have a higher page ranking than we do with the exact same content and in spite of the SSL Certificate warning. That just blows my mind. This is obviously detrimental our customers and puts their information at risk if they search for us and are not using the direct URL.

I am also being forced to use Google’s Ad Words and pay a very high rate of minimum CPC to put us at the top of the search as a sponsored link and can only hope that this will be the obvious entry point for those searching for our product.

Getting GOOGLE to remove a 3rd party domain is proving extremely difficult. The only recommendation GOOGLE has for this, is their policy, "If you don't own the site, your first step is to contact the site's webmaster and request that the content is removed." Fat chance there.

I will try to pursue further methods. I hope this will assist the next guy that gets DNS hijack or pirated. It is obvious... aidaoba is the DEVIL!!

[keiichi]

This thread si very informative.

If someone could please point where to find the information about the CHMOD stuff would be great.

[AffordableFiberOptics]

I'm getting a lot of odd traffic from China too.

Is it possible for my hosting provider to block China from their firewall?

Thanks

[clauf]

Can someone kindly paste the code of'

 

Canonical hostname redirect which let all the other domain redirect to my site'?

 

Thanks.

[noesac]

 

1) block chinese ip - http://www.wizcrafts...-blocklist.html

 

 

I've been interested in doing something like this for a while, because I get a lot of spam from chinese wholesellers.

 

But I would rather put up with spam than risk - even if it's the smallest risk - blocking legitimate customers in my own country.

 

How safe is this exactly?

[Matt O'Gara]

Guys once again thank you for helping out. So this is what i found out:<br/><br/>1) The company had used a reverse mod_proxy to point their site to mine.<br/>2) They also had their domain pointed at my ip address<br/><br/>To solve this, i had to use canonical hostname to force my sites domain name for all requests. Deny all IP address requests from "china" and the problem sites. And Finally hide my .htaccess file.<br/><br/>For now any and all requests going to my site, comes back to my site.<br/><br/>Here are the links to all my research:<br/>1) block chinese ip - http://www.wizcrafts.net/chinese-blocklist.html<br/>2) Canonical hostname redirect - http://httpd.apache.org/docs/2.2/rewrite/rewrite_guide.html<br/>3) block ip address - http://httpd.apache.org/docs/2.2/howto/access.html<br/><br/>The last thing i need to do is check all the CHMOD permissions, to ensure that there is nothing unsafe to be hacked again. Would really appreciate if the Mod or someone could place the CHMOD permission settings to be applied after installation.<br/><br/>Cheers

 

All this info is incredibly useful, thanks so much Phantomeye.

[Mike Kranzler]

Hi everybody,

Thanks for all the work you've put into uncovering this issue. I am passing this along to our development team to try to find out if there is a way we can integrate these suggestions into a future build of PrestaShop.

 

-Mike