Another Tablo site?

I know this looks like spam, I’m the SurLaTablo author… those without fear (i.e. Tablo Support) really need to click on the link below…

http://www.secretlocationgames.com/

Copied or hijacked or redirected content, or a mirror, scary.

OR maybe it’s the same ISP or host of their forums here?


Type or paste this into Google - 
(even as a security pro, I won’t go there until I run some tests. Give me a few minutes and I’ll let you know what secrets I REALLY find there!)

edit:  Hang on, I’m doing an in-depth analysis of the site’s content for threats, scripts, etc.

I’ve seen that URL before, the more I think about it, I’ve seen it elsewhere… now to figure out why and where. 

BTW - so far coming up empty, but…not SURE yet.

IP appears to be 66.228.32.178
ASN Net Access Corporation


Recent reports on same IP/ASN/Domain

Last 6 reports on ASN: AS8001 Net Access Corporation

<tr class=“odd_highlight” overflow:hidden;’=""><tr class=“even_highlight” overflow:hidden;’=""><tr class=“odd_highlight” overflow:hidden;’=""><tr class=“even_highlight” overflow:hidden;’=""><tr class=“odd_highlight” overflow:hidden;’=""><tr class=“even_highlight” overflow:hidden;’="">
Date UQ / IDS / BL URL IP
2015-02-04 21:52:09 0 - 1 - 0 www.emulator-zone.com/download.php/emulators/gba/vboyadvance/VisualBoyAdvance-1.8.0-beta3.zip 162.216.16.221
2015-02-04 21:36:13 0 - 0 - 0 www.dividend.com/assets/sather/base-db1ef229d82985a87c93f4dce9c394d8.js 173.255.224.201
2015-02-04 20:04:13 0 - 0 - 0 reynoldslawplc.com/node/287133/ 198.74.56.121
2015-02-04 19:46:57 0 - 0 - 0 reynoldslawplc.com/node/271713/ 198.74.56.121
2015-02-04 19:44:17 0 - 0 - 0 muckrack.com/kevin-gimay/bio 23.239.10.180
2015-02-04 19:40:04 0 - 0 - 0 muckrack.com/kevin-kumar/bio 23.239.10.180



Analysis Date 6 seconds ago
Safety Reputation 0/30
Domain 1st Registered 2011-12-20 (3 years ago)
Server Location Flag (US) United States
Google Page Rank
Alexa Traffic Rank 13,806,111

Domain is registered under the name “James Milward”… it’s a linnode host.

Not sure if that helps anyone…

With that said, Vanilla Forums is pretty hackable out of the box… just saying…

Here are the HTTP “get” calls and the responses



GET / HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/html; charset=utf-8 

 

GET /ajax/libs/jquery/1.7.2/jquery.min.js HTTP/1.1 

 74.125.133.95
 HTTP/1.0 200 OK 
Content-Type: text/javascript; charset=UTF-8 


GET /themes/percepticon_tablo/design/style.css?v=2.0.5 HTTP/1.1 
 
 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/css 


GET /plugins/cleditor/design/jquery.cleditor.css?v=1.3.1.1 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/css 


GET /plugins/Tagging/design/tag.css?v=1.6.2 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/css 



GET /plugins/Emotify/design/emotify.css?v=2.0.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/css 


GET /themes/percepticon_tablo/design/custom.css?v=2.0.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/css 

 
GET /plugins/ButtonBar/design/buttonbar.css?v=1.6 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/css 


GET /plugins/LikeThis.old/css/like.css?v=0.8 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/css 


GET /plugins/Buttons/design/buttons.css?v=1.0 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/css 


GET /plugins/Sprites/design/sprites.css?v=1.0 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: text/css 


GET /js/library/jquery.popup.js?v=2.1.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 


GET /js/library/jquery-ui-1.8.17.custom.min.js?v=2.1.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 


GET /js/library/jquery.form.js?v=2.1.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 


GET /js/library/jquery.livequery.js?v=2.1.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 


GET /js/library/jquery.gardenhandleajaxform.js?v=2.1.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 


GET /js/global.js?v=2.1.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 


GET /plugins/ButtonBar/js/jquery.hotkeys.js?v=1.6 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 



GET /plugins/ButtonBar/js/buttonbar.js?v=1.6 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 


GET /themes/percepticon_tablo/js/custom.js?v=2.0.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 



GET /applications/vanilla/js/discussions.js?v=2.1.5 HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/javascript 



GET /uploads/RZVEQLQT6IF9.jpg HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: image/jpeg 


GET /plugins/GoogleSignIn/design/google-icon.png HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: image/png 


GET /plugins/OpenID/design/openid-icon.png HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: image/png 



GET /uploads/favicon_df95908c576db3c0.ico HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: image/vnd.microsoft.icon 


GET /images/sprites-14-000.png HTTP/1.1 

 80.239.178.179
 HTTP/1.0 200 OK 
Content-Type: image/png 


GET /themes/percepticon_tablo/design/fonts/glyphicons-halflings-regular.woff HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/x-font-woff 



POST /settings/analyticstick.json HTTP/1.1 

 66.228.32.178
 HTTP/1.0 200 OK 
Content-Type: application/json 
These are domain names connected to the email address  - there are about 32 domains that use this email address in the registration.
accounts@thesecretlocation.com 

gifs-exchange.com 
herdfm.com 
whatarethe7.com 
intothebreech.com 
whatarethe7s.com 
secretlocationgames.com 
endgameseries.com 
dusk3.com 
humansvsvampires.com 
fitxchange.net 
secretlocation.net 
secretlocation.info 

To capture information like passwords, etc.?

We saw this a few weeks ago and it weirded us out. Not sure why this guy would want to replicate our forum… 

Imitation is the sincerest form of…creepyness?

I don’t now how things work in Canada (eh?), but in the good ole USA, what they are doing is a trademark violation at the very least and if you don’t pursue action, you’ll lose your trademark.  Just saying…

Maybe just give him a call and threaten the legal action ???


Registrant Name: James Milward
Registrant Organization: Secret Location
Registrant Street: 80 Mitchell Ave.
Registrant Street: Unit 3
Registrant City: Toronto
Registrant State/Province: Ontario
Registrant Postal Code: M6J 1B9
Registrant Country: Canada
Registrant Phone: +1.4168495298
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: accounts@thesecretlocation.com

Or even contact GoDaddy with a stop and desist letter ;) 

Maybe we’ll go with this approach…



LOL

Or even contact GoDaddy with a stop and desist letter ;) 

I wouldn’t host with GoDaddy if they were the last hosting service in the solar system. Of the addresses and domains in our firewalls, they are over 50% of them. They have a “don’t ask, don’t tell” policy on their customers hosting malware and other goodies, some not legal, on their servers. 
They don’t care as long as the server it’s on doesn’t fry. 

I know some network admins that blanket block anything hosted by them, no exceptions. 

@cjcox has a point, too - if the trademark and symbols aren’t actively protected if someone else uses them unchallenged for a long enough time, you could lose rights. 
I used to own a store with a logo, name, domain and all and I had to search to ensure we didn’t step on someone else, and had to search to ensure others were not using it risking us losing it. 
If it does end up connected with malware or something, the name could get blacklisted as well.

It might also have to do with SEO and/or bypassing spam bots … since if they are scraping the text posted here it might help them get by heuristic checking since its generated by real people … 

It’s not a scrape, it’s a pull.  I’ve used Vanilla forums in the past, it’s pretty easy to grab everything (and I do mean everything).

I am guessing they are breaking some US laws in doing so

heheheh - you can’t grab everything from the forum I run - only what I allow “guests” to see. the rest is protected in a SQL server. In fact even registered users can’t see everything, some require special group membership. 
Bots scour the web for content. We have a dozen or more bots on our forum at any given time. Google is our most frequent visitor and I’ve found that something posted on the forum at 10:05am may show up in a google search as early as 10:15am that same day. 

There are also bots running to check for slander or libelous things being said about people. eBay pays a service to “surf the web” using bots and they look for the eBay name being used along with certain key words. Similar for celebrities - if you have the money and want to protect your name, you pay for these services to scour the web and harvest posts from forums and so on and look for the name and certain words being used with that name. 
There is software free for you and I to use that will harvest all files from a web site (unless it’s inside a database and requires authentication, etc.) A typical web site can be harvested - all pages, files, scripts, images and so on in short order by a good server and bot. i’ve done it before - I’ve harvested complete web sites, lock, stock and barrel, using software run from my home server. (it was for study and nothing more, though, so it was legal in that respect)
Since this forum can be read by non-members the whole content can be harvested by bots - and chances are that every post made since hour 1 exists on Google’s servers along with other servers that keep pretty darned complete histories of the web. I think one was or is called “way-back” or something like that. 
But this one bugs me not only because of what’s being done, but what else I have found associated with the site and how some of it functions. My complete analysis shows they are actually utilizing files hosted on OTHER sites to do their stuff-  hijacking. If it’s not illegal, it’s unethical as heck. They are playing a nasty game as if they did that to some people I know, they’d likely find their servers trashed. One fellow I know of in California, a friend from years ago, had someone hijacking his web content - he poisoned it - the sucker hijacking content got caught with porn. 

You’ll also find some turkeys doing similar with eBay content - to trick people into going to their site that LOOKS like eBay and acts like eBay, but they are harvesting information - eBay accounts, passwords and so on - sort of like I mentioned this other place technically could do here - because MOST people on the web use the same password or a limited set of passwords for everything they do. 
I’d bet money now that there’s people here on this very forum or site who have a  Tablo community ID and password - and the password is the same as their email password, eBay password, PayPal password and so on. All they need to do is gather passwords as people hit those pages and they’ll have accounts worth some money. 
This sort of thing is not to be taken lightly and if I was Tablo legal, I’d be all over them like flies on #$%!
And frankly after seeing such stuff I would even recommend any of you who log in HERE and have used the same password HERE that they use for anything else at all should go change their passwords for those other services.
I’ve seen too much crap to trust anything like that. IT could be a dumb-butt kid playing some game he thinks is funny or a joke, or maybe it’s a prank or school project - or it could be something more. 
3 people today at work went to legit sites for their daily jobs - and hit malvertising - those legit sites had had “bad Flash” ads injected into them. It’s too danged easy to do because most network people and server people are last week’s burger flippers or CFOs who found themselves tasked with taking care of a server and not really good at keeping things safe and secure. 
there are a couple hundred servers running in state government where I work that are still on server 2003 and not current with patches. How smart is that?
It's not a scrape, it's a pull.  I've used Vanilla forums in the past, it's pretty easy to grab everything (and I do mean everything).

tomato/ tom-at-toe … regardless its still weird and should be stopped … but I am still thinking its for someway into tricking search engines to rank their content higher more than any specific nefarious purposes of tricking users and get money from the all mighty google ad-words cash cow.