Hi all,
This is my first time posting in this forum (disclaimer: please let me know if this is not the right place to post this). I'm turning to the Linux server discussion gurus for some sagely advice :)
I have a VPS web server running CentOS with Apache and all the other good web server jazz. The main website hosted on the server is http://jettisonquarterly.com (IP: http://184.82.106.92) Lately I've noticed (by stumbling across in a Google search when testing my SEO) that another domain (http://42639104591279053.forth.arraymultisort.info or really http://any_string.forth.arraymultisort.info/) is apparently forwarding all requests to my IP address. The reason I'm pretty certain they're forwarding and haven't stolen/cloned my site is because if I access that site from home, my home IP address shows up in my access logs.
I'm fairly certain this is a fledgling attack. Every once in a while my access logs will show something like this (just a sample):
111.164.160.222 - - [23/Mar/2011:06:06:33 -0500] "GET /currentIssue/cover.jpg HTTP/1.1" 200 17424 "http://8683227610213234105.forth.arraymultisort.info/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 672; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
111.164.160.222 - - [23/Mar/2011:06:06:42 -0500] "GET /images/logo.png HTTP/1.1" 200 5556 "http://8683227610213234105.forth.arraymultisort.info/" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; QQDownload 672; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
where that domain seems to be referring style sheets, javascript files, images, etc.
So the real question is: Is there a way that I can block this site from forwarding itself to my site's IP address and essentially cloning my site?
I can think of a few reasons why I don't want this happening:
-The site (after doing some WHOIS searches) is clearly meant for malicious purposes
-The owner is listed as being in China (although not necessarily a red flag, I've had my fair share of problems with Chinese spiders and the like in the past)
-In some cases, they're stealing search engine hits
-Since it began, I've been getting some very strange query strings appearing in my access logs (eg. "?kw=%E4%B8%80%E5%93%81%E6%A5%BC%E8%AE%BA%E5%9D%9B%E6%9C%80%E6%96%B0%E5%9C%B0%E5%9D%80")
-I don't know who this is and what they're doing.
It's that last part that makes me the most suspicious- I can't figure any reason for this to be happening unless there's some kind of spoofing, injection attacks, or XSS attacks being in the works.
So please, DaniWeb folks, enlighten me- does this seem like a real threat I should be concerned about? If so, how do I go about stopping it?
Thanks much,
Ty