Phanton clone

[Sir Osis of Liver]

One of my guys has been receiving registration notifications from a domain other than his own.  His forum has apparently been copied into another domain on a different server, running a dump of his database from approx. a month ago.  The legit forum is here, clone is here.  Clone is somewhat functional, registration works, lot of internal links don't.  Haven't been able to search up anything useful for quickphpfix.com.  ICANN lookup shows nameservers at quickfix10.com.  Oddly, quickfix.com redirects to washingtonpost.com, which I read regularly.  Never seen anything like this before.

[AlanDewey]

nslookup for the evil domain leads us to    InMotion Hosting, Inc in California. 

I have seen i.p.s for InMotion Hosting Inc in my server logs way to often, attempting to do bad things.   These i.p. ranges get blocked.   This i.p. range for InMotion is a new one for me, so blocked it just a minute ago.

I see the paypal donate link for the evil site is different than the legit site; is it worth trying to get Paypal involved?  At least shut off their donate link?

[Looking]

Without knowing the case I would ask if DNS entries are correctly setup / if there is not cross domain stuff set out that hasn't been removed.

[Sir Osis of Liver]

Been offline since last night, just catching up.  The Paypal link in treasury mod goes to the correct PayPal account, it hasn't been jacked.  Forum owner has only one domain in his host account, has no idea what quickphpfix.com is.  Believe he posted a complaint to domain registrar, the clone is still running.

[Sir Osis of Liver]

This ends up being a Hostgator screwup.  Forum owner had moved to HG for a day, didn't like it, cancelled account and got refund.  Last post date on clone corresponds with day he did it.  Apparently, for whatever reason, HG uses this domain to set up new accounts.  Clone was removed on request, diffderent website is running at that domain today.

[m4z]

Wow, just wow.

[drewactual]

that is tacky as can be... i was watching this as i had a similar issue when i moved servers some time back from VPS to dedicated- and.... gouged up the DNS settings at the top level registar.  still having access to the 'old' server i changed the name of index to something else, and set up an index.html (the server setting for default, obviously) and a forward... it happened until i realized i hadn't changed the top level, so... once that was altered and time enough to propagate, never saw it again. 

what you were explaining sounded like a straight up hijack- so i kept my jawls shut instead of offering up my experience.  looks like perhaps i should have when i first saw this.

[Sir Osis of Liver]

Don't think it was malicious, just stupid.  Hostgator was running this bootleg for almost a month, forum owner wouldn't have known if he hadn't started receiving registration notifications from bots registering at different domain.  There's still a different website running at that domain.