Two different blogs show up on my stats as linking to my personal site. When I go to the blog, the url of my control panel shows up under their lists of links. Their link list goes to sites all over the world, but there is no explanation of what the links are for or why they're there.

I can trace the site owners with Whois, but haven't approached either one. Is that a good Idea? If so, how would you do it? Email, phone?

I reported it to my web host and all they said was "change your password."

But I'm still wondering:
Why did these people link to me? What are they trying to do?
If it happened twice, it will happen again. How can I stop it?

Suggestions appreciated!

Judith

See this thread started by JMac:

Now for something completely different (http://www.webproworld.com/viewtopic.php?t=8656)

and the site she cited:
Porn Sites Hiding Behind Blogs (http://www.idly.org/2003/11/14/porn_sites_hiding_behind_blogs.php)

Thanks for the most helpful information, Minstrel. I'm now up to 4 of these fake blogs referring to my site. I went to their blogs and viewed the source for each site. Every one contained a link to an adult webcam.

Check your logs. My list includes jennifersblog.com, wr18.com, worldnewslog.com, and saulem.com. Others are listed on the link cited by JMac and provided again by Minstrel in this thread. If this is happening to you, you'll find a lot of useful info there.

If they are linking to your site, apparently all of the ones identified so far come from the same IP address: 141.85.3.130 (and the user agent is : MSIE)

So IP banning might work, at least until these crooks figure out something else.

It's worth a try.

Judith

Hi there-

When I originally noticed this link to my control panel (which will be gone in the next 10 visits or so since it's some weird rotating links system) I started a pretty low-key email to the webmaster. And this is how I got his (maybe I'm showing a gender bias here but cloaking a porn site behind a blog - well....) email address: I hacked the URL to get a 404. On the 404 page it gives the following email address:
ddalex@cyclop.net
The email I ended up sending was not as friendly but it has not been returned - wouldn't it be returned if it were a non-functioning address?
So just now I went to cyclop.net, thinking I'd be able to lodge a complaint and lo and behold, it appears to be a personal site, somehow forwarded or subdomained or however these people do it, to another site called horia.com - now as unappealing as the name is, it really does seem to be a family photo album with pictures of a woman, her daughter, and statues... and no porn - just cute kid pictures... ah-hah there's one with Daddy - maybe HE is the culprit!
I hope I didn't scare this woman, if indeed the email address was a phony one.
BUT... as many of you now know, these sites have been tracked, not to the US as stated in their Whois info, but to Bukarest (spelling?) - and this woman's site seems to be located there, too.
Maybe my gender bias was unfounded!

More sleuthing needed.

And maybe MInstrel could help me overcome this "blame it all on a man" thinking, with some therapy! :-)

I'll let you know how it goes!

JMac

And maybe Minstrel could help me overcome this "blame it all on a man" thinking, with some therapy!
If you're asking if I know how to get women and children to stop blaming men (especially me) when things go wrong, no... this was underscored for me during that recent East Coast blackout - the first thing that happened after the lights went out was a message on my cell phone from my oldest son (whose video game had I think been interrupted) saying, basically, "dad - you idiot - did you forget to pay the Hydro bill?"

Minstrel - I KNEW it was your fault! Spread the word everyone!!! :-)

So, I did a Whois on this horia.com - this is their administrative contact info:
*dns*major*jackoff*janitor*-**rgroza@GMX.NET*
********cyclop.net*
********22*Transilvaniei*
********,**Bucharest*
********RO*

Ah yes, that name rings a bell - I was just thinking that about them...
Unfortunately, another company comes up as their technical contact and <shudder> here it is:
*Technical*Contact*-*
*********Tera-byte*Network*Operation*Centre*-**hostmaster@TERA-BYTE.COM*
********Tera-byte*Dot*Com*Inc.*
********Suite*900,*10004*-*104*Ave.*NW*
********Edmonton,*AB*T5J0K1*
********CA*
********Phone*-**+1-780-413-1868*
********Fax*-**-*+1-780-413-1869*

I don't think that's a Canadian area code...

More info - better battle plan.

JMac

There appear to be four domains hosted through this IP number. They are:

www.Dianaandreea.com
www.Horia.com
www.Qozi.com
www.Thecyclop.com

There's got to be some way to track these people down...

And a new site to add to the list of not-quite-right sites:
websearchus.com - I've found that each of these sites has transparent pixels which are links to the porn section of the site. And beware (REALLY) of clicking on them - it will launch a stream of popups that can't be controlled at all. I'm lucky to be working on a Mac and I just have to quickly do a force quit on my browser. On the PC, it eventually crashes the whole system - not before you've more than an eyeful though!

Anyone working from home with their kids around should not even visit one of these sites in case it inadvertently sets of the popups - what people do in the privacy of their own homes is fine with me but hijacking people's computers is wrong, wrong, wrong. If it takes me 'til the end of time (or even the end of today!) I will find out where these people are. The odd thing is that the family to which I referred earlier seems to really play some sort of role in this. There are multiple references to them and albums devoted to their daughter. Could it really be that they don't know enough to not host their legitimate family site on the same DNS as their other activities? Or is this an innocent family that has no knowledge of what's happening behind the scenes?

Curiouser, and curiouser....

We're beyond the looking glass here...
:-)

JMac

Phone - +1-780-413-1868
Fax - - +1-780-413-1869

I don't think that's a Canadian area code...

Yes, JMac, that is an Edm. number, or at least area code. Seeing I can't get them to move here, I still call my family there often - unless the calls are being redirected to Transalvania as well! I've not visited lately.

Hi MikMik -

You're just the guy I thought would already be tracking these people down! All the research you've done has turned up impressive results so far! (Did you get my email "thank you" for the info on the auto launch presentation? Once again, thank you!!)

Maybe this company has more information than I'd thought - I HAd thought it was just another false front - maybe, even if they are, they need a little email from the not so friendly desk of....

JMac

There's got to be some way to track these people down...
More info, JMac - I've read that certain host's , that are set up in Bucharest (I think, will check), are like the famous Swiss banks - they are a haven for hackers etc and will NOT release any information to do with compromising any 'alleged' clients right to secrecy!

I will check out my poorly rememberd source, pretty sure it was "The Globe and Mail" in stories related to internet viruses.

Thanks for the thanks! I have some incredible freeware that I'm just learning to use that is used for this sort of thing. I will get to work!
I'll also get the links to downloads.
One day soon, I'll also work on my site!

MikMik -

I am hoping that this company in Canada has more ... regulations? Morality? Ethics? More to lose? .... one of those.

If they have anything to do with this besides being the unwitting scapegoats, I'm sure they will soon regret it!

What's cooler than being cool? Ice cold...
Sorry, singing along with some tunes! Seemed appropriate when I typed it!

Hahahaha....

JMac

just ran Judith's, = Bucharest!

17.) 156 172 156 - 217.73.164.7 r-bb7-g0-0.bucharest.roedu.net

18.) 156 156 157 - 141.85.3.130 -

Trace complete

I've emailed the Tera-Byte company to question their involvement, unwitting or not.
And, as suggested above, I've added the IP associated with the traffic to my IP deny list.
Tell us more, MikMik! :-))

JMac

I wrote an email to Steve at Tera-Byte in Edmonton and, I'm happy to say that I got a pretty rapid response. Albeit a short one that doesn't really get us any closer to the solution.
He said that, and here's the quote:
"ccclop.net {sic} used to have a server here so that is why we would be the tech
contact on the domain name - Steve"

I think he meant cyclop.net since that's the site I mentioned in my original email.
This doesn't help much - but it's a step in some direction - right?

JMac

Here is the quoted most recent and most unhelpful email I've received from the company in Edmonton.

"being a tech contact on a domain name means a person or company registered
that domain name through our service, domian name registrations have noting
whatsoever to do with the content of their site or their business practices,
to which i really dont care what they do, as im not about to visit their
porn sites in the first place i dont have an issue with popups crashing my
browser. - Steve " Ahem... Steve, my concern was not for your browser crashing but rather the other cloaking issue and linking to people's control panels.

Hmmm. Me thinks thou dost not protest enough, Steve.
I guess there's not much to do except not send any business in the general direction of a company that does absolutely no research into who they host. If it's all about the cash, there are plenty of hosting companies willing to take it and look the other way. Tera-Byte.com seems to have joined those ranks. Sad, so sad... just gives the whole internet a bad name.
On to finding who is hosting them now - not who registered their domain name.

JMac

I noticed this morning that I was linked to Jennifersblog.com... I went to her site, but really didn't pay too much attention to the link that she had there...
After reading this, I went back to investigae and sure enough, she had a link to my control panel...so I clicked on the link... no password was asked for, it went directly to my control panel... scary!!!
I went back to jennifers again, and now my link is no longer there.... any explanations?? (although I am thrilled that it's not there anymore, I'm still concerned...
I found out that the site is supposedly owned by Brian Mcwatters in Bloomington, MN ... is there any point in emailing him?
Help!!!

After reading this, I went back to investigae and sure enough, she had a link to my control panel...so I clicked on the link... no password was asked for, it went directly to my control panel... scary!!!


I don't think you have anything to be scared about. It is highly possible that you have your Control Panel settings set to automatically log you in when you (and just you) visits it. Other people who would have clicked on the link to your Control Panel should have received the normal login screen.

I usually log into my control panel with my sitename and /cpanel... which opens a login box... I have never gone to my control panel with the link that I found on the blog site... it had my domain name, followed by a colon and the server name (number)...
this is what scares or, at the very least, Pi&&es me off....
I have contacted my hosting company because this server was hacked into last weekend...

Hi again,

Since so many people think they're using this technique to affect their rankings, I've reported the sites I've seen in my logs to Google.
Here's a link to the page on Google where you can report such sites. They stress that they will not become involved in hand-to-hand conflicts between webmasters but will use the information to improve their algorithm. I believe that if enough of us complain and we all have different sites, IPs and content, we won't be considered a webmaster who wants to hurt the competition.
http://www.google.com/contact/spamreport.html

It's a start, right?

And don't forget to click through to the other thread here at WPW called "And now for something completely different" - bummer that there are two threads going and I can't keep track of one, never mind two... I'm too busy watching my access logs since over at http://www.idly.org/2003/11/14/porn_sites_hiding_behind_blogs.php they are listing a new IP number and other blog sites that have been linking to control panels and so on... I want to see how long it takes to spread out!

It's a Mad, Mad World...

JMac

info202-
As mentioned above, don't worry TOO much - I just tried to get into your control panel and was met with the sign in box with user name and password. I used the colon number combination associated with most control panels.
(Not that I'd have done anything malicious had I been able to access your site, of course!)

:-))

JMac

thanks... JMac....
you've been very helpful...

And don't forget to click through to the other thread here at WPW called "And now for something completely different" - bummer that there are two threads going and I can't keep track of one, never mind two...
JMac:

Just email or message Brittany and ask her to merge the two threads.

Like JMac, I reported my list of 10 to Google. You don't have to list your websites to report them. Here's my list: mikesspot.com, teoras.com, malixya.com, jennifersblog.com,wr18.com,worldnewslog.com, saulem.com, bongohome.com,kwlablog.com,akksess.com.

I also wrote to Stargate, the registrar for all . Here's the response I got from Stargate. (I'd like to know how they contacted them if they can't be contacted!!)

==================================
Dear Sir or Madam,

We have contacted the owner of this domains to have them update their whois information as we have been informed that they can not be contacted. As we are not hosting them, that is all we can do for you. They are hosting their own webservers so you may want to try contacting their ISP at http://www.ripe.net with their IP addresses to see if you can get their sites stopped.

Thank you,
Joshua M.
Stargate Account Services Manager
joshm@stargate.com
630-369-1651 x 19
========================================
Maybe someone else can find something at the RIPE site that would indicate they have policies against this sort of activity. I couldn't find anything that makes me feel it would be worth complaining to them.

Info202, I can identify with your angst over discovering this. Even though they need a password to get in, it probably would be a good idea to change your control panel password if you haven't already. It's not that tough to decode passwords and people this devious undoubtedly have those skills. And....like you, I contacted my host and told them about it. Both of my sites have been affected. Surely other people are having the same problem.

Finally, try IP blocking so they can't access your site. Here are the two addresses most everyone seems to be finding:
145.85.3.130
217.73.164.106

Good luck,

Judith

Judith,
Before you decide to contact RIPE, perhaps you should read the entries made at the following forum.
http://www.idly.org/2003/11/14/porn_sites_hiding_behind_blogs.php
JMac listed this URL in a previous post... there was one person who contacted RIPE and they just devastated him...
I already changed my password... and I am going to post something here that I just posted in another thread about this subject..
If you click on the link from your webstats, you will find your link on the bogus blog site, but if you type in the URL, your name is not there.
I assumed that my host's being hacked might have played a role in this, so I went to the other sites I have hosted there and there was nothing... my thoughts were that since my site name is the only one I use here at WebProWorld, someone here is garnering all this info and using it for nefarious purposes....Just a thought!!!

While I don't believe for a millisecond that the *real* people running WebProWorld (Brittany, Garret, et al ... sorry I don't remember everyone's name off hand - no slight intended) have anything to do with this, I believe that WPW may be supplying info to these sites. Not only WPW but several other forums as well.
I know this is possible because one of the sites I manage is a community service free classified listings site and we recently had a similar issue with Spammers using all the email addresses on the site, spoofing, spamming and all manner of sneakiness. One brilliant idea, for instance a free exchange of information like WPW, can be abused by - anyone with enough knowledge and low ethical standards.

Again, so far the best remedy has been to ban the IPs shown and move on with your day. Do NOT click through to the site through your recent visitors. Personally, I download the raw access log and view it in textedit - then I cut and paste anything that I'm interested in directly into my browser - I only made the mistake of clicking through from recent visitors once.

Fortunately, a wise person once said -
It's only a mistake if you don't learn from it.

Good luck!

JMac

I am hoping that this company in Canada has more ... regulations? Morality? Ethics? More to lose? .... one of those.

If they have anything to do with this besides being the unwitting scapegoats, I'm sure they will soon regret it!

What's cooler than being cool? Ice cold...
Sorry, singing along with some tunes! Seemed appropriate when I typed it!

Hahahaha....

JMac

JMac, if you want to do something about this bloggers, talk with george at roedu dot net. he can help you. send him all the info about the ip's you found and describe him your problem. the guys from uni will have some problems. (george is the main administrator from roedu.net). if he won't help you i suggest to try ijurca at utt dot ro. he is one of the founders of roedu.net. he will help you for sure.

Hello everyone,

I have also noticed lots of blog-sites linked to my control panel during the past two weeks. Also many references coming through CGI bin and IP numbers.
I can not figure out the nature of using these methods. Interesting, if not considered as an intruding manner. Can that possibly have any influence or damaging to our business or privacy? I do not think so. Should we ignore? I think the answer is better be yes,
Since we all have experienced the same. It is more likely that we all have posted blogs somewhere, sometime and therefore registered in a database as an active blogger. Or someone might have blogged with a reference to our site. If my theory is right, then what is the big deal? And let it go. Dose it worth wasting time on chasing people all around cyber space?

Best regards,
Kiumars

Progress? Maybe . . .

See Brandon's post in JMac's thread at
http://www.webproworld.com/viewtopic.php?t=8656&postdays=0&postorder=asc&start=25

Quote from "brandon1978: "I sent an e-mail to multiple university of bucharest administrators (including the rector) on the 19th. They responded by not responding, though the sites have now been replaced by default apache pages....that still have the adult webcam link."

Kiumars had excellent advise, anyway.....don't try to chase these people all over cyber space.

BTW, My first blogging came after I was hit, so at least for me it didn't have anything to do with being in a bloggers registry.

Had the same issues with Blog sites linking to mine, and found that by clicking on the weblink from your stats panel will put the link from where you came from in the links list on the Blog site; that is, if you visited the site from your control pannel - then that is the link that is listed. By clicking on this link at the Blog site it will go directly to your control panel; but, if you copy the link and paste it to a new window you will get your log-in form asking for user name and password. Now, if I find any potential Blog sites in my list I check them out by copying the URL and pasting it into a new browser window - thereby no link back to my control panel.

Two new links in my control panel today, Malixya.com and AKKSESS.com have only the Apache and Linux server test page showing at their URL, most strange; heck knows were the link could come from in those circumstances, unless they got Zapped by someone and had to reinstall their server software.

JMac - seems that your favourite Blog Jenniferblog has gone as of today a request to their address is showing server not found. By the way, if you need no get rid of popups on a Mac you can just hold down the option key while clicking the red close button on the window - or use the 'No Pop-Ups program found at Version Tracker.

I noticed this morning that I was linked to Jennifersblog.com... I went to her site, but really didn't pay too much attention to the link that she had there...
After reading this, I went back to investigae and sure enough, she had a link to my control panel...so I clicked on the link... no password was asked for, it went directly to my control panel... scary!!!
I went back to jennifers again, and now my link is no longer there.... any explanations?? (although I am thrilled that it's not there anymore, I'm still concerned...
I found out that the site is supposedly owned by Brian Mcwatters in Bloomington, MN ... is there any point in emailing him?
Help!!!

If you had previously logged in it would still remember your last sesssion .

Hello everyone,

I have also noticed lots of blog-sites linked to my control panel during the past two weeks. Also many references coming through CGI bin and IP numbers.
I can not figure out the nature of using these methods. Interesting, if not considered as an intruding manner. Can that possibly have any influence or damaging to our business or privacy? I do not think so. Should we ignore? I think the answer is better be yes,
Since we all have experienced the same. It is more likely that we all have posted blogs somewhere, sometime and therefore registered in a database as an active blogger. Or someone might have blogged with a reference to our site. If my theory is right, then what is the big deal? And let it go. Dose it worth wasting time on chasing people all around cyber space?

Best regards,
Kiumars

I would check with cpanel to see if there is an exploit. This is probably why it's happening.

What happened.. I was only away for a couple of weeks.. I get back to find some really good threads and minstrel has become a mod (that meant something different when I was growing up)... AND then I checked my access logs for today... hmmmm 5 blog sites listed, and I have never bloged in my life... and the particular logs I checked are for a site that isn't finished yet. Maybe someone's playing with our collective heads (sorry, have conspiracy on my mind... been reading about a magic bullet).
I don't know if these links are doing any real damage, only time will tell on that, but I'd still rather they wern't there.

slán abhaile
John.

Here is the quoted most recent and most unhelpful email I've received from the company in Edmonton.

"being a tech contact on a domain name means a person or company registered
that domain name through our service, domian name registrations have noting
whatsoever to do with the content of their site or their business practices,
to which i really dont care what they do,...
JMac

I tis interesting to read their AUP(Acceptable User Policy)... specially this one http://www.tera-byte.com/aup.html#web_sites
here is a peace of it:
Unlawful content is that which violates any law, statute, treaty, regulation, or lawful order. This includes, but is not limited to: obscene material; defamatory, fraudulent or deceptive statements; threatening, intimidating or harassing statements, or material which violates the privacy rights or property rights of others (copyrights or trademarks, for example).

and so on...

JMac, I would try contacting theit management if it is possible in any way. personally, if you remind me, I can try to reach them, but only from next Monday(8 Dec). I'm a Candian and I do not think that this type of practice is acceptable here or anywhere else.

Yes,
It's happening to me too,many of the same culprits including jennifersblog, worldnewsblog and more:
November "Referrer" Stat Lines:
85 3 0.02% http://www.jennifersblog.com/
88 3 0.02% http://www.wr18.com/
95 2 0.02% http://www.a-b-l-o-g.com/
96 2 0.02% http://www.akksess.com/
103 2 0.02% http://www.kwlablog.com/
133 1 0.01% http://www.bongohome.com/
156 1 0.01% http://www.saulem.com/
167 1 0.01% http://www.worldnewslog.com/
I am pretty close to my hosting company CEO and have made him aware of the problem. It will be interesting to post his reply.

Last month I noticed the same sites referring traffic to me. This month there's no sign of em. who knows...

Well, I did find out something.

It seems these blogsters are using some type pf script that pulls the most recent referrers and sticks them on their page.

I did a little searching through google.ca and clicked on a bloggers link... and the link that was at the top of the list? google.ca
So that explains why you may see a link to your control panel, 'cause you're clicking the link from the control panel.

How it got there in the first place.. hmmm.. not too sure.

incidentally, jennifersblog.com is off-line