My website is being stolen in real time and I don't know what to do
I launched the site http://altexplorer.net at the start of January as a Block Explorer and information hub for alternative cryptographic currencies. This morning I found a site http://4co.in which is ripping-off my site in real-time; every time a page is loaded on 4co.in it uses php to load the corresponding page from http://altexplorer.net, removes analytics and ad tags, replaces the site name, and replaces the link URLs.
I've put a lot of effort into building this site and keeping it running, and now someone in India is stealing it in real-time. Every page load to 4coin causes an identical page load in the nginx logs of http://altexplorer.net. What can I do besides blocking the source IP address to stop this?
Screen shots: Alt Explorer home page: https://d1eem2029tdth0.cloudfront.net/img/altexplorer-home.png
4coin home page: https://d1eem2029tdth0.cloudfront.net/img/4coin-home.png
Alt Explorer profitability page: https://d1eem2029tdth0.cloudfront.net/img/altexplorer-prof.png
4coin profitability page: https://d1eem2029tdth0.cloudfront.net/img/4coin-prof.png
110 comments
[ 0.26 ms ] story [ 158 ms ] thread162.222.227.123 - - [14/Feb/2014:18:37:51 +0000] "GET /chain/42 HTTP/1.1" 200 76170 "-" "-" "162.222.227.123"
162.222.227.123 - - [14/Feb/2014:17:40:58 +0000] "GET /block/0e67dcf5f6797840a98061af7581138f2347feb168d78f7138d4268c6f854748 HTTP/1.1" 200 15719 "-" "-" "162.222.227.123"
162.222.227.123 - - [14/Feb/2014:18:38:21 +0000] "GET /tx/6c636ebff9674f4168b80b415f8a9097509802992b0422a4fa98c543da9c068e HTTP/1.1" 200 15898 "-" "-" "162.222.227.123"
162.222.227.123 - - [14/Feb/2014:17:41:05 +0000] "GET /address/GRjc357hnC7THEUPVJmpMmCjSAGn54CJnx HTTP/1.1" 200 14034 "-" "-" "162.222.227.123"
162.222.227.123 - - [14/Feb/2014:18:13:21 +0000] "GET /news HTTP/1.1" 200 16675 "-" "-" "162.222.227.123"
162.222.227.123 - - [14/Feb/2014:18:19:12 +0000] "GET /profitability HTTP/1.1" 200 188354 "-" "-" "162.222.227.123"
also, report them to adsense and anyone else serving their ads.
Let them eat /dev/urandom to their heart's content.
No! You can't just give them purely random data. No, sir. That would be easy enough to detect.
What you need is plausible randomness. Shift the value of every transaction by a small percent. Trending everything downward over time, but making it plausible, would be far more entertaining with random upward trends. Best buy now before it gets too expensive! Oh, I'm sorry? That wasn't the actual price? Well, you'd best use a reputable source!
If you're going to poison the well, you don't want to be caught. You want them to wonder at what point their data set diverged and for how long they've been serving incorrect data. Sinister points for interspersing legitimate data with munged data.
The trick with being evil in this case is to be subtle about it. They want to scrape all your metrics? Let them. You just can't guarantee the accuracy of the data they're scraping, right? [wink, wink]
Luckily they are stripping out the ad tags before displaying by site so it shouldn't affect Ad Sense.
Don't just block the /24 ("Class C" IP block), block the /16 ("Class B" IP block) the IP resides in. You'll reduce your audience in India, but they'll have to switch webhosts to continue leaching his/her site.
http://www.oav.net/mirrors/cidr.html
Second idea: Javascript redirect all of your pages to your own subdomain. Again, its just a step in an arms race, but this would be a little too hard/expensive to take to court. You can win an arms race if you try.
(for now)
http://4co.in/?q=1
If the query string is being passed through, which I suspect it is, you can use the query string to easily locate the corresponding entry in your own logs. Or, if the query string isn't being passed through, you can use a path instead:
http://4co.in/q
You probably already thought of this technique. I decided to post it anyway in case you hadn't, or in case anyone else is facing a similar challenge.
A unique sequence of legitimate requests might be more difficult to for the other side to detect and it won't result in 404s. Could randomise the sequence and each can come from a different IP as long as they were synchronised properly.
He very well might. But my estimation of the thief's skills is low. I could be wrong, of course.
> A unique sequence of legitimate requests might be more difficult to for the other side to detect and it won't result in 404s. Could randomise the sequence and each can come from a different IP as long as they were synchronised properly.
That's probably the best bet. A legitimate but very winding path through actual links on the site would work quite well. Given enough steps, it would almost certainly be unique. Because you'd be varying the path each time, the thief would find it hard or impossible to block you.
Put a few more branding elements into your page design, so that visitors to their site will understand that they're redirecting your data. Then take advantage of the extra publicity that they're giving you.
One piece of advice though: Drop the goo.gl short link and link directly to http://altexplorer.net, otherwise it looks like 4co.in was 'hacked' and goo.gl is a phishing/some other sort of scam and not legit.
You should be able to pickup the 4coi.in domain as the referrer if you want metrics for how many people were using 4co.in.
Essentially, they trust the data you're providing and are trying to make a buck off that info. But if they lose that trust because they don't know whether the data is legit or not, you win!
I would also try to mask the fact that the data is not accurate, if they immediately see everything as simply zeroed out, it would be a huge red flag you're on to them. If you provide them ALMOST correct data, it would be harder for them to determine what's going on and their users will see realize the disparity and (hopefully) get burned and never come back.
Essentially, the trick is to destroy the site's credibility so there's no financial benefit to continue to steal from you.
Good Luck!
I'd also recommend only borking SOME of the data - an intermittent bug is harder to fix than a consistent one!
ay, to my astonishment, making the holes with a hoe for the seventieth time at least, and not for himself to lie down in! But why should not the New Englander try new adventures, and not lay so much stress on his grain, his potato and grass crop, and his orchards -- raise other crops than these? Why concern ourselves so much about our beans for seed, and not be concerned at all about a new generation of men? We should really be fed and cheered if when we met a man we were sure to see that some of
But an image search should help you find the image.
If you can't imagine what to do in this situation you shouldn't be running a website of this nature
This type of thing can (and does) happen and it's up to you to know how to defend yourself.
The others have given plenty of ideas, but I guess there are more specific things that can be done depending on their page structure/ads etc
You are an idiot.
If he launched the site, some technical knowledge he must have, however, to then not know (as in, to not have any idea) what to do seems strange.
Thanks for the offence, but it's not me who's hopeless about their website.
I guess trying to ask for advice and acting on that advice, all the while learning more and more about the potential attack vectors one should be aware of when dealing with these relatively new cryptocurrency services, is a shit idea.
BTW, love your intolerant handle. I guess you'd be bashing me then. Sorry my taste in music differs from yours, please don't "bash" me.
cowers in fear as the old, bitter hippie grabs his cane
The issue is not "Please advice me what to do", it is saying it in the spirit of someone who doesn't know how he got in the situation in the first place. For someone who builds a site like that, he should've know better.
So the problem is the way he titles the post. Sure, okay. So make that your argument. You'll sound even pettier but at least you're not fighting a strawman.
So many fun options.
1) Use javascript to replace their ad referrers with yours.
2) Display porn only for them
3) Random infinite page refreshes on their servers.
4) Javascript fake-click the ads so they get banned by their ad network
edit - actually, don't do this as it is trivially easy to get around by doing 2 or 3 requests and keeping anything that hasn't changed.
Or if you do do this, add a low level noise filter on top so that the attacker can't just directly equate pixel values.
<img src="x" onerror= "if(document.location.href==='http://4co.in')document.location='//goatse.cx';">
Maybe like this then?
I issued a DMCA takedown notice to their host and it was taken care of in a couple of days. I suggest doing the same.
"2014-02-14 A site has been found that is stealing the content in real-time: 4co.in. If you are viewing this from 4co.in please go to http://goo.gl/w1f6Sq to view the correct site. I am not responsible for any malicious content or malware on 4co.in."
looking up the whois info, it says that the registrant's email was bgrf@ymail.com
When I put this email in google, I came across another spammy site called baklinks.blogspot.com. This site asks you to swap back links. At the bottom of the blog post, I found the name of the person "Naveen K R"
I then looked up google with "Naveen K R + bgrf". I was able to find a site he (probably) runs called www.zokali.com
More googling combos, I finally found his linkedin profile and his name "Naveen K Ramanand"
https://www.linkedin.com/in/krnaveen.
May be you can contact this guy directly. Seems like he is the one doing this or at least he knows who.