CNAME redirect to Joomla site

Forum Moderators: phranque

Message Too Old, No Replies

CNAME redirect to Joomla site

Someone has hijacked our site with a simple redirect

migumbo

5:26 am on Feb 18, 2013 (gmt 0)

* Last week we noticed duplicate content warnings and links from a domain wwww.some-tld.com in our Webmaster tools account (yes 4 wwww's)

* It appeared to be an exact replica of our Joomla site - a completely different TLD.

* Somehow the entire Joomla based site is running under their domain.

* If we put Joomla into maintenance mode, it also put's their domain redirected site into maintenance mode. We can also login into our Admin from their domain redirect.

* The offending domain is whois protected at Moniker. Could I ask them to shut the redirect down? Am I within my rights to do this?

* I've reported this site as a "scraper" to Google using their form. I've also contacted our host to see if there's anything they can do.

Any other advice? How can they possibly get this site to run perfectly under their domain?

Hoople

5:45 am on Feb 18, 2013 (gmt 0)

By chance are the two domains on the same IP address?

There have been a few threads her on WW as to how to track down the mirroring if they aren't on the same IP.

phranque

11:56 am on Feb 18, 2013 (gmt 0)

have you looked through your server access logs for clues?

the two most likely possible explanations:
- they pointed their domain to your IP address and your server is configured to accept requests for any hostname.
- they have set up their own server to make proxy requests to your server.

migumbo

10:03 pm on Feb 19, 2013 (gmt 0)

thanks will check both of those things with the hosting company

Demaestro

11:39 pm on Feb 19, 2013 (gmt 0)

If we put Joomla into maintenance mode, it also put's their domain redirected site into maintenance mode.

I assume by this you mean that you used the setting in global config to put the "site offline" or into "debug mode"?

If that is correct then there is something else going on here as both of those settings live in a config file. If you are changing the config file which writes to a flat .php file and not a database then they are most likely linking back to your site.

Either that or the host server is so fully taken over in an attack that they were able to mirror flat files and change them at the same moment you do. Which is unlikely.

I think whatever is happening they are pointing it back to your site.... the real question is how is the .htaccess file routing traffic from that domain to the public directory of your site?

migumbo

6:09 am on Feb 22, 2013 (gmt 0)

after a lot of trial and error this now fixed via htaccess level by adding this to the htaccess directive:
RewriteEngine On
RewriteCond %{SERVER_NAME} !^(www\.)?our-domain.com\.com$
RewriteRule ^ - [F]

phranque

10:39 am on Feb 25, 2013 (gmt 0)

do you have an extra '.com' in that condition?

also make sure you are handling any other/wildcard subdomains properly.

in some cases it might be better to use something more like this:


RewriteCond %{SERVER_NAME} !example\.com$

migumbo

5:31 am on Feb 27, 2013 (gmt 0)

thanks I'll check!