My site got mirrored...?

rauza

rauza

Regular Member
Joined
Mar 13, 2014
Messages
409
Reaction score
588
So my site got mirrored, meaning, if I change my scripts, it would be affected on the other domain that is mirroring my site, literally same exact content and database. I'm not sure how this is possible and was wondering if someone can explain to me how this works (real-time). Nobody got access to my control panel or VPS as I checked the access / login logs, and nobody got access to my CloudFlare DNS but my site got mirrored anyways.

I hacked the site using some quick SQL magic and fucked them over the ass but I need to know this was possible in the first place...????
 
Advertise on BHW
Good Question...

Cool that you hacked their site...
 
If you hacked them (SQL Injection I suppose from your post), why didn't you figure out how they did it while you're in ?

There's two options in mirroring a site on the backend:

1. Frequent scraping and rolling their own mirroring software (this goes in line with your SQL hack statement), which does not need access to any of your control panels and CloudFlare doesn't matter (depending on your settings in CF, and their IP quality and scraping method etc)

2. Nginx reverse proxy. This one is "the perfect mirror" method, real-time, extremely easy to do and much better than iframes or scraping content. BUT: It doesn't go in line with the SQL hack statement (and I assume finding your own content in their database)
 
Good for you teaching them a lesson. I laughed so hard I spit my drink on the screen.
 
Could be that they're pointing their DNS to your server-IP. That could explain the real-time behaviour. Do some research on the domain name and DNS that's mirroring your site.
 
roadhamster said:
Could be that they're pointing their DNS to your server-IP. That could explain the real-time behaviour. Do some research on the domain name and DNS that's mirroring your site.
Click to expand...

Sure? Then how you explain this "I hacked the site using some quick SQL magic"
Had OP hacked his own website? :-D
 
could be a number of methods, I'm guessing he was bullshitting when he said he hacked them to save face.
 
Darmor said:
If you hacked them (SQL Injection I suppose from your post), why didn't you figure out how they did it while you're in ?

There's two options in mirroring a site on the backend:

1. Frequent scraping and rolling their own mirroring software (this goes in line with your SQL hack statement), which does not need access to any of your control panels and CloudFlare doesn't matter (depending on your settings in CF, and their IP quality and scraping method etc)

2. Nginx reverse proxy. This one is "the perfect mirror" method, real-time, extremely easy to do and much better than iframes or scraping content. BUT: It doesn't go in line with the SQL hack statement (and I assume finding your own content in their database)
Click to expand...

That's the irony... I got control but still had no clue how it was working. I was pretty pissed I couldn't figure it out ;( Their DNS servers and everything looked fine, and they had one sketchy script that appended information on all my scripts while they were mirroring, that's all I found.

Btw, I did "hack" in to the site, but you have to remember that it was extremely easy. They were literally mirroring my site, so if I executed shit on my PHP scripts, it would translate to their servers too. I could execute shells or echo out server information on my scripts and it would translate to their information. IT WAS SO FUCKING WEIRD, I HAD NO CLUE what was happening!

i.e.

MyWebsite.com/somescript.php --> MirroredSite.com/somescript.php

would both execute with two different responses for server info.

What ended up breaking the mirror was by using SSL on my site but I doubt I actually fixed-fixed the problem. I even wiped my whole VPS out and reinstalled everything incase there was malware... still didn't affect the mirror until I added SSL :o
 
Last edited:
RazeByte said:
That's the irony... I got control but still had no clue how it was working. I was pretty pissed I couldn't figure it out ;( Their DNS servers and everything looked fine, and they had one sketchy script that appended information on all my scripts while they were mirroring, that's all I found.
Click to expand...

What language were the scripts written in? What kind of information did you find in the database? Did you find your own content in there?

Then again, the "how" is easy to guess, and it doesn't really help moving forward.

What would help in the future:

- Whenever you notice a site mirroring you, find the server IP, blacklist it on your side, problem solved against most ideas they can have.

The solution with stopping a mirror is the same as the problem with security:

- You cannot protect yourself 100%, you can only make it not worth the effort :)
 
Darmor said:
What language were the scripts written in? What kind of information did you find in the database? Did you find your own content in there?

Then again, the "how" is easy to guess, and it doesn't really help moving forward.

What would help in the future:

- Whenever you notice a site mirroring you, find the server IP, blacklist it on your side, problem solved against most ideas they can have.

The solution with stopping a mirror is the same as the problem with security:

- You cannot protect yourself 100%, you can only make it not worth the effort :)
Click to expand...

I found my own content in the database, which was being updated on real-time, with same exact names - I think it was literally the same SQL data - like they had a connection to my SQL. It's a mirror, it was my shit. I think it was an exact mirror through domain masking with their own custom scripts appending shit on my scripts. The scripts are written in PHP. I know, I was going to blacklist it but I wanted to know how it even happened. Also, if I just blacklist it, they could easily just register a new domain and do it again.
 
RazeByte said:
Also, if I just blacklist it, they could easily just register a new domain and do it again.
Click to expand...

That's where the "not worth it" part I said above comes in! The more money they have the spend the better!

You cannot prevent it 100% of the time, you can do a few of the following tho:

- Check your CloudFlare settings, try RocketLoader and combine it with a custom JS that checks the domain and redirects if it's not your own (given that RocketLoader compiles all JS later, your new script mixed into the code of another essential plugin is going to make the effort go from 0 to 100 very quickly)
- If they are not masking and they are actively scraping you (you said your content was in their DB), to achieve near-real-time they must be sending a TON of requests to your server, which you can easily rate-limit
- Check your database listen ip/port, check iptables, there was a recent viral InfoSec research article that said there were apparently thousands of unsecured database instances allowing remote connections out there
 
Sick history, is your movie site? How is your journey?
I followed up on your topic and was inspired me to learn code and i created a 100% automated movie site two months ago and I'm curious how someone apparently without access to the database can clone this content in real time, if you can solve this problem please report.
 
Mirror a url is done this way

----------------/-

RewriteEngine on

RewriteCond %{REQUEST_URI} bar
RewriteRule ^ /index.php [L,R]

--------////////

What the code does, it looks for a url on any page on my website i own, and sends the user to my index page if a link is pressed......

This is a apache code ,but can be done in any programming code ,just a example what social websites are doing.

The only way around this is send a image with the url written on it.....
 
This thread has been super useful, the knowledge has been helpful.

Thanks!
 
RazeByte said:
This thread has been super useful, the knowledge has been helpful.

Thanks!
Click to expand...


Hi Razebyte,

Are you using knownSrv hosting?

I have same issue and my main domain is on wordpress and its mirrored on nearly 8 website and known SRV support is of no use.
 
Advertise on BHW
You must log in or register to reply here.
Sign up now!

Main Menu

Home Main Forum List Black Hat SEO White Hat SEO BHW Newbie Guide Blogging Black Hat Tools Social Networking Downloads

Marketplace

Content / Copywriting Hosting Images, Logos & Videos Proxies For Sale SEO - Link building SEO - Packages Social Media Social Media - Panels Web Design Misc

Making Money

Affiliate Programs Hire a Freelancer Making Money Pay Per Click Site Flipping

BlackHatWorld

BHW Merch Forum Suggestions & Feedback Introductions Lounge Dispute Resolution

Other

Domain Name Forum IM Journeys Web Hosting Newsletter
Back
Top