I've been checking out these forums and getting the supportforums emails for a little while. I'm no pro, but as a marketer, I need to stay on top of my website's rankings.

When I found this post at Marketingfix.com, I was shocked. I was really surprised that I was the only one who commented on it.

Check out what happened and try to figure out what was done to steal someone else's website, Google hits and all!

Is it Possible to Steal Website Domains on Google? (http://www.marketingfix.com/archives/is_it_possible_to_steal_website_domains_on_google.php#000553)

What happened?

Still trying to figure it out.

It appears as if the other site made an exact duplicate of the stolen site, and submitted it to Google. Instead of indexing duplicate content, they used the stolen version of the site because there were more links pointing to it.

Don't know if this is the whole story or not, but this seems to be the most common guess so far.

Jill

My thoughts are that it was likely hacked. And it appears that they are on a sub-net that has lotsa virtual hosted domains (numerous domain names on one IP addresss).

Although they don't SEEM to have multiple domains hosted at their IP address, those around them do.

Look at the Google cached page of --
128.121.224.242 (http://216.239.33.100/search?q=cache:fFt7hJgp06oC:www.calle.com/domains/ip/128/121/224.html+%22128.121.224.242%22&hl=en&ie=UTF-8)

** NOTE THAT THEIR IP ADDRESS DOES NOT REPORT THAT IT IS "SeaSideGolf.com"!!! It reports (what Google saw, and put in the cache) that "MyrtleBeachGolfPackage.com" is the domain on that IP address

...lo and behold.... if you look at the Google-cache for "MyrtyleBeachGolfPackage.com" you'll see the exact same page that is showing up for the "GolfTourDesk.com" google-cached hijacked page!! As a matter of fact, the Google-cache for "MyrtleBeachGolfPackage.com" actually shows "GolfTourDesk.com" at the top of the page, in the Google text/disclaimer.

VIEW SOURCE (on the Google-cache of MyrtyleBeachGolfPackage, which is seen by Googlebot as GolfTourDesk) --

it's a copied/mirrored version of SeaSideGolf from Thu, 07 Nov 2002 20:49:51 GMT.

===

I looked at the WhoIs information for SeaSideGolf and noticed that their DNS IPs are only one # apart. That's BAD news; it's even against Microsoft's stated DNS policy. If the subnet goes down, there is no DNS to act as the master to "answer" the request ...

Domain servers in listed order:

NS1.DIGITRONICWEB.COM 66.186.23.130
NS2.DIGITRONICWEB.COM 66.186.23.131
---
Of course I have no idea what SeaSide Golf was doing last time Google indexed their site! They likely could have changed their hosting firm (i.e. their IP address isn't the same as it was) AND/OR they may have changed/updated their domain name servers.
---

BUT, at the current time. RIGHT NOW, the domain name of "MyrtleBeachGolfPackage.com" resolves to the same IP address as "SeaSideGolf.com"

And, MyrtyleBeachGolfPackage WHOIS information --

Domain Name: MYRTLEBEACHGOLFPACKAGE.COM
Created on: 23-Sep-98
Expires on: 22-Sep-03
Last Updated on: 23-Aug-02

** NOTE: NOT updated since Aug 23! (And it's registered to the same guy, and the same Domain name servers as 'SeaSideGolf.com').

***

As I telnet into the IP address, hitting port 80, and manually entering HTTP 1.0 commands, I see that their current configuration (still, today) is --

Server: Apache/1.3.27 OpenSSL/0.9.6g (Unix) FrontPage/5.0.2.2510 PHP/4.0.3pl1

As a matter of fact, the "MyrtyleBeachGolfPackage.com" is set-up as a 302 (moved).

HTTP/1.0 302 Found
Connection: close
Date: Sat, 18 Jan 2003 21:42:56 GMT
Server: Apache/1.3.27 OpenSSL/0.9.6g (Unix) FrontPage/5.0.2.2510 PHP/4.0.3pl1
Location: http://www.myrtlebeachgolfpackage.com
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</
TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.myrt
lebeachgolfpackage.com">here</A>.<P>
</BODY></HTML>


Connection to host lost.

So I'm betting that someone:

A) Found an Apache 1.3.2 exploit
B) Found a PHP/4.0.3p|1 exploit
C) Hacked the Admin or User account to control the web server
D) Compromised the "SeaSideGolf.com" web development machine. (By compromising the web development machine one could tweak the code to allow an unsuspecting victim to upload your trojan/modified code to their own site!)

Welcome to the forums pielover! :hi:

Welcome to the forums pielover! :hi:

We have a good thread going on about the same site here:

http://www.ihelpyouservices.com/forums/showthread.php?threadid=6531

Doug, et al.

Thanks for the welcome!

I did a quick search before I posted, but didn't try the URL...that would have caught it. Also interesting is that I was debating whether to post in "Spam & Ethics" or in "Google" sections.

And Chopsticks did some great detective work. Is that going to be linked over to the other discussion.

Certainly is a lesson that us marketers need to care about security. Being part of a website is certainly a all-encompassing job, as Jeff Veen says.

I've got a couple other things I'd like to post about here, so you'll see me again.

We have dealt with and (hopefully) figured out this same problem with someone who recently contacted us...

This person contacted Google but was given the same old run around... after SEVERAL attempts to contact them about this issue, Google said they couldn't do anything without a Court Order. (You'd think they'd take this a little more seriously.)

Here's a little more info on the incident -

http://www.chillingeffects.org/dmca512/notice.cgi?NoticeID=496


From what we can figure out - the hijacker alters the BASE tag in the HEAD of his own page to reflect the "victims" page, like:

BASE=http://www.hijackersite.com/../www.victimsite.com/hijackedpage.html (Seems google sees this ../ and "skips" to the victims site somehow.)

As soon as the page gets ranked by Google, the hijacker removes the BASE tag. Typically, rather than copy the victim's page, they'll put up SOME unique content, - after they acheive top positioning.

BTW - it was a kid who did this! IMO, this will have FAR REACHING implications if this becomes widely known to "unethical SEOs" (unless Google can muster up a fix).


We're working on a whitepaper for this, that will be presented soon at www.penetrationtest.com

Hope this has helped in some way!


Regards,

"circusboy"