Sponsored Links

Warning about an ISPreview.co.uk website clone

Mark.J

Administrator
Staff member
ISPreview Team
Just to let readers know that some cheeky individual is leeching content from ISPreview.co.uk's servers and loading it via "ISPreview . biz". We suspect that the purpose of this is to poision our SEO ranking in Google through duplicate content or potentially by manipulating other content over-the-top for financial gain.

We do attach several domains to our site but they will always redirect to our main ispreview.co.uk domain, while the leech has avoided this and thus Google could de-value our site ranking. I've not dealt with this kind of problem before but will raise a DCMA with Google and contact the abuse department of their web host.

The same inidividual is also using a similar tactic against masses of other sites in this field, several of which are already aware or being made aware. So be careful of the following.

http://domainsigma.com/reverseIP/87.118.92.88

laptopsreviews.in

basenote.in

imagicon.info

mobilephoneexpert.in

broadbandsuppliers.biz

ispreview . biz

simplifydigital.biz

broadband-essentials.info

broadbandanalyst.info

broadband-finder.info

broadband-expert.info

broadband-choices.com

businesscloudnews.info

channelprosmb.info

cloudbusinessreview.info

cloudcomputing-news.info

mac-win.biz

freemacware.org

macwindows.org

best-seo-software-reviews.info
 
looks more like a clone to me, maybe you could pop some code in the header which will only appear if called upon by the offending domain.. as it looks to me they arent leeching content.. its more like they are cloning it and while l dont see any external links it wouldnt be that far fetched that it could be in use to steal passwords (after all it would be relatively easy to intercept login details logging in via that domain while still pushing users over to data here.

one suggestion l could make to prove a theory would be to create a test user (cookies cleared of course) and login with it, it would give an indication if that all its doing is mirroring rather than leeching.. after all theres not a way in hell it could copy information that is stored securely within the database.
 
just an addition, it looks like caching to me. this post came up immediately when clicking on this topic "there" but the front page of the forum part of the clone it looks like it doesnt update as quickly as it would directly on ISPr.

tho given that information, l would still insert some code somewhere that would insert some interesting html into the page that would only be viewable there.. would mean that he/she wouldnt be able to mirror content any more and make it slightly more annoying for them and less worth the efford imho.
 
Sponsored Links
Just some simple JS would clear that issue right up..

Or block their IP from accessing your server (or send them to a page saying go to the real site here xyz.co.uk).

Matt
 
As others have said.. I would code in something to embed the IP in the output from your server so you can tell which IP is fetching it.
Then give false content to it ;) or just pages with a meta redirect back to here.

On the DMCA subject.. I have had good results with the Google Adwords DMCA complaints when someone stole all my FTTC diary content and hosted it on their own site without permission _and_ knowing that I didn't want them to after I changed the hotlinked images to say "stop it"! They copied the images to their own server.

A DMCA complaint via Adwords and they removed the offending post. And now (several months on) the entire site is gone.

Good luck! Keep us updated on the story.

Other that run from the domain:
action-cameras.in best-seo-software-reviews.info broadband-choices.com broadband-expert.info broadbandanalyst.info businesscloudnews.info cloudbusinessreview.info comparebroadbanddeals.info desktop-virtualization.org dialtosave.in ellis-brigham-sports.com expertreviewscompare.in expertsreviews.in fragrancescompared.in futureofenterprisecomputing.info gadgetheaven.in ghgadgetheaven.in imagicon.info itreviewsnews.in izideal.info laptopreviewsuk.in laptopsreviewsuk.in latestmobilecomputingnews.in mncgroup.in mysatnav.in news-and-reviews.in notebookcomparisonsreviews.in pcreviewer.in priceinspector.info satnavcompare.in shop4laptop.in testsfreaks.in virtualizetips.in webcam-stripteasing.biz www.channelprosmb.info www.edmunds.com www.ellis-brigham-sports.com

Tom - www.mouselike.org
 
I'm not sure if the JS or IP block ideas would work. I've yet to find any Java solutions beyond preventing copy and paste (not an issue for bots and very irritating for visitors) and IP blocks don't work unless you can figure out which bot is actually extracting the data. I've tried but am none the wiser as our logs are fairly full.

I like the idea of embedding the IP in the output from our server but I'm not quite sure how to do that / make it work.

I've tried all day to do a DCMA complaint too but it always fails with an error, which is quite annoying. The only other way is via snail mail to the USA.. ugh Google.
 
I like the idea of embedding the IP in the output from our server but I'm not quite sure how to do that / make it work.

If you have the ability to run custom PHP in your layout, somewhere on all your pages put in the code
Code:
<?php echo $_SERVER["REMOTE_ADDR"]; ?>
This will show visitors their own IP on the page though..
Possibly hide it, so it can only be found when viewing source, using:
Code:
<!-- <?php echo $_SERVER["REMOTE_ADDR"]; ?> -->

Tom - www.mouselike.org
 
Sponsored Links
I suspect its setup to try and steal peoples usernames and passwords.

If you google keymachine.de and keyweb.de which is what that 87.118.92.88 address resolves to it appears its not the first time that companies server solutions have been used for that purpose.

Hope the user database here is secure.
 
Mark why dont you https it ? u think it will be a big hit on the CPU ?


looks like it's connecting to this DB restrict sql to only allow your ip
 
Just run a whois and surprise surprise, these cowards are hiding behind Privacy Protect.

Might be worth raising an abuse issue with them also?
 
Two things you cannot do over there; you can't register an account (I didn't try to log in or register with my usual username), and you can't post a reply in the "Unregistered Visitor ISP Questions and Answers" section. Both things just bring up a blank screen after typing in the information. From this, I think it is highly unlikely to contain the ISPR forum database.
 
Sponsored Links
Mark: try searching your logs for "FINDTHISSTRING.PHP" as it should show the Ip of the "fetcher".

I don't quite see much point in this fake mirror. It isn't doing something basic "money making" like inserting adverts or changing the adsense / adwords publisher id :\

More info here:
http://www.projecthoneypot.org/ip_87.118.92.88

Looks possibly like some sort of attempted injection attack on forums?
anyone else seeing the site trying to redirect to IP 87.118.92.88,my anti-malware software is blocking it every time I come to the site.
The IP being shown is: 87.118.92.88. When ... Why would this be occuring only when I'm viewing certain posts in the aforementioned forum?

etc.

Someone else who is affected, 6 days ago, said: "I have blocked that IP and now that site stopped showing my contents. " (source)

Even more weirdly they have a paid for an up to date certificate on their server for this website: https://imagicon.info/
Yet another clone of an existing site: http://freeemoticonsandsmileys.com/ But why pay for a valid SSL certificate for your cloned site?!

Tom - www.mouselike.org
 
Last edited:
Two things you cannot do over there; you can't register an account (I didn't try to log in or register with my usual username), and you can't post a reply in the "Unregistered Visitor ISP Questions and Answers" section. Both things just bring up a blank screen after typing in the information. From this, I think it is highly unlikely to contain the ISPR forum database.

After attempting to register, the site returned me to the forum categories page. Since it's been so long since I joined ISPr, is this normal behaviour (and I would now have received a verification e-mail)?
 
doesnt sound like you have read the whole topic.. the other site is "fake", at least in as far as it only mirrors the data here. now normally if it was done with permission maybe Mark wouldnt have an issue with it, however as is generally the case, most mirrors generally are made for monetary gain by the person mirroring it inserting ads or malicious code in order to harvest passwords and email addresses.

this is why one should ALWAYS check the address bar to make sure they are exactly where they are supposed to be, tho sometimes even that isnt full proof as DNS can be faked but l expect it to be much harder to do than make a clone with a similar URL.
 
Hmm I was assuming that $_SERVER["REMOTE_ADDR"] would only load the site visitors IP on even the clone site and not the robot's own IP, will give it a try though.

Yes the clone site doesn't have database access, it's actually very easy to mirror a site (something we might do for backup purposes in the future) via an automated system that effectively copy-pastes all of the sites resolved pages (bit more sophisticated than that but not by much). As others have said, it's usually done to hijack advertising traffic, poison SEO ranking (duplicate content is degraded) and or steal personal data.
 
Yes don't put details into the fake site, it could be trying to harvest data. So I hope you only used fake info.
 
Sponsored Links
Hmm I was assuming that $_SERVER["REMOTE_ADDR"] would only load the site visitors IP on even the clone site and not the robot's own IP, will give it a try though.

If you View Source on your own site when visiting you don't see (unless broken!) any PHP code and just get the precompiled HTML output.
Unless the scammers have access to your "pre webserver compiled" PHP / wordpress? source code it will show the IP of their mirroring software, your server will be compiling the PHP and spitting out the requester's IP (the mirror sites server).

Looking at the way they work, it may just be possible to create /myip.php rather than modify your entire sites CMS code! As far as I can work out, upon first request their server goes out and fetches a copy on the fly. So visiting fakesite.biz/myip.php immediately after inventing a /myip.php file on your server containing just the <? echo $_SERVER["REMOTE_ADDR"] ?> code would do the job quickly and easily vs. editing your main site!

Tom - www.mouselike.org
 
Yes don't put details into the fake site, it could be trying to harvest data. So I hope you only used fake info.

Yes, it was only fake data used!

In response to timeless, I have read the whole topic and had quoted the reason why I had attempted to test for a DB on the mirror site.
 
Yes don't put details into the fake site, it could be trying to harvest data. So I hope you only used fake info.

I used fake info to try to register. If that and all the other cloned sites don't exist to push adverts to earn money, or to harvest email addresses/passwords, then it seems very pointless to pay to clone the sites. Perhaps an ulterior motive will emerge soon.
 
Yes, it was only fake data used!

In response to timeless, I have read the whole topic and had quoted the reason why I had attempted to test for a DB on the mirror site.
l guess l took your message out of context. however none the less felt it was worth passing the information along.
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6028)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2440)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1902)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules