Recovery and prevention from a site clone, 302 redirect highjack type attack

Discussion in 'Black Hat SEO' started by abovethecrowds, Feb 29, 2016.

  1. abovethecrowds

    abovethecrowds Newbie

    Feb 27, 2016
    Likes Received:

    My website and 28+ other domains I can identify - that are all big sites that share similar keyword rankings in google suggesting a very targeted overall attack - are all being targeted by a site cloner, who then uses cloaking, 302 redirect hijacking, and possibly other techniques to accomplish devastating results.

    His method appears to have been implemented as follows:

    Dec 1st - .trade Domain registered
    Dec 8th - Google starts reporting hundreds of links from this .trade domain
    Dec 20th - My sites index drops overnight from 30 indexed pages (stable over a year) to 8 pages
    Jan 1st - Google search traffic vanishes (his site overtakes every ranking!)


    Searching for any keyword that had been previously ranking - shows this .trade pages ranking in its place.

    Titles, url structure, and content are all exact duplicates of my domain.

    "" query returns identical results to my domain.

    Google's cache for a page such as "spam/post-name-5/" shows an exact duplicate as mysite/post-name-5/"

    Clicking on googles cache for any of pages, at the top where it says "This is google's cache of "______" shows my webpages url, even though i have clicked the cached index page for the ranking spam/post-name-5/ type of url.

    How is he accomplishing this?

    - It appears the index of seems to be updating almost as quickly as my website

    For example a new post I publish is found in googles index for the .trade domain within an hour of publishing and ranks.

    Changing the titles and content of old pages also seems to have the effect of google updating its index of the .trade domain to represent these changes in short time.

    Things I'm doing & trying:

    - disavowed all links from .trade domain (although this may further separate me as original content source?)

    - moving rss feed to feedburner in case he was finding updates to the website to crawl via rss feed methods

    - changing sitemap name / location in case this is how he is crawling (sitemap tagged with last modified date for example)

    - ordered SLL and dedicated IP (on hostgator reseller hosting plan) in case he is targeting me at IP address level?

    - moving from http to https (full integration and proper 301 redirection to be applied to further separate the old toxic URLS to new ones) also in the case of his .trade domains cached pages in google giving my website/product-name-5 at the top despite clicking on the .trade google results cached page

    - contacted apparent webhost, registrar, & company he appears to getting his nameservers from? (supporting evidence and screenshots) for hopeful removal

    - google webspam reports for cloaking, plagirisim, & sneaky redirects from serps to illegal steroid store for hopeful removal

    - bought brand new theme to implement and will rewrite all pages once I see he is no longer actively and quickly finding every move I make.

    - deleted lots of non vital plugins and checked for security vulnerabilities

    Questions for techie people & experiences:

    - Where would you begin looking for where/how he is crawling and cloning the website?

    - Shall i make a master list of known bad bots to block through htaccess?

    - can I block the domain and its ip address in some way from hitting my site in any form?

    - Are there any other things I can be trying regarding to site cloning and redirect hijacking?

    Thank you so much!
  2. thedorf

    thedorf Supreme Member

    Oct 1, 2008
    Likes Received:
    what? I gotta have a job?
    BHW - Where else?
    I can help with this if you'll hit me up on Skype. I block bots in some 5 different ways via .htaccess and also have a bad bot trap setup on my website. And yes, you can block his website/IP from hitting your site but he can just change that portion easily, the trick is to find his footprint and block it. Skype id is: gemusli
  3. abovethecrowds

    abovethecrowds Newbie

    Feb 27, 2016
    Likes Received:
    Very much appreciated! I shall hit you up shortly - although I would like to note that I would like to keep conversation regarding this 100% public to help the community understand, protect and prevent this and be a reference point for any other desperate webmasters :)

    I also am wary of handing domain identifying information or logs in regards to this case, please do not take offense to that, the nature of the forum and me posting its profitability has me scared of people interested in the keywords / site / method for black hat methods :)
    • Thanks Thanks x 2