Now I have seen it all!

After the attempt i made to sign some kind of treaty with our previous “Forumites” from the other side, they chose to start the fire again this afternoon.

Why on earth can people not just go on with their lives and leave other people alone, where does this ridiculous obsession come from? For the love of me, i cant even start to comprehend this kind of behavior… Who in this modern world still have the time to think this sh!t out and then think its okay to waste someone else’s time with it…

I received the following, make sure you are not eating or drinking anything, I dont want to be the cause of someone choking on anything:

No1473×1024 85.2 KB

No2473×1024 83.5 KB

No3473×1024 83.4 KB

I am shocked at the fact that I will, as it seems, never break free from my previous association with them, Its like having a child with your ex, you will never truly be free from her…

Right. So this most likely really happened. We have log files, and the log files confirm that around that time (14:31) we started getting traffic that was referred from that other site.

The short version of this: Over about a 3 hour period, we got roughly 95 hits this way. That is NOTHING compared to the normal traffic we get, and I’m certain it is also nothing compared to the traffic the other site gets in the same time frame. That redirect could not have been in place more than a few minutes, and the only reason it persisted for 3 hours is because the idiot who put the redirect in accidentally made it permanent. I’ll explain more below.

Let’s analyse for a moment what happened. From the above screenshots, we can see that a permanent redirect (301) was added to the .htaccess file. This is an apache configuration file. I remember it, but I haven’t used apache in about a decade. All the cool kids use nginx these days. The config line is this:

RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^/?$ "https\:\/\/energytalk\.co\.za\/" [R=301,L]

Alright, so what that does is it permanently (that is what the 301 means) redirects all traffic that is specificall on the root of the site (the / URL) to ours. If you were to access a page directly, it would not redirect.

Now there is a reason I emphasis that this redirect was permanent. What this means, is that a browser will remember it for a certain time period, until you clear the cache. If you want the redirect to be temporary, you would use a 302. Hence my comment above about the intelligence of this.

Now, browsers do an interesting thing. They put the site that referred them to the new URL in the Referer: header. The spec doesn’t say that browsers must do this, but most of them do (as long as you redirect from https to https, which is almost certainly the case here).

We can see the referrer on our side. So we can see how much traffic came our way because of this redirect. Also, we need to look specifically for requests going to the root of the site, a GET / request. There are 95 of them. Only 95. They come from around 36 different IP addresses. We’ve got those IP addresses. We can look up which provider owns those IPs. I can see the User Agent header, so I know what browsers are used.

Furthermore, the IP addresses in the email from their service provider is in Europe. 2 is in the UK, 1 is in France, and 1 is in Germany. Of course, whoever did this likely used a VPN.

So, my verdict.

I do not believe for one second that this redirect was in place for more than a few minutes, based on the measly amount of traffic that was redirected. That makes it exceedingly likely that whoever did it, likely did it specifically for the purposes of starting a smear campaign.

I’ve kept a copy of the logs in a secure place. Just in case.

We (the guys admining this site) had nothing to do with this. We’re far too busy, and not nearly stupid enough to be this obvious about it.

Now THAT was not written by any legal person.

Someone there is trying to impersonate/sound like an attorney attempting to make people “shudder in angst and fear” … who cannot even spell properly!!!

Nor will a professional sane attorney send a “warning/intimidation” via WhatsApp! You don’t show your cards ever: rofl:

Nee magtag, dit was nou 'n lekker lag!

Here is sommer 4 more

powerforum1210×280 68.3 KB

As the owner of our forum I would be ashamed to admit repeatedly that our forums security has been breached. If I take how little our forum cost a month and compare it to the claims made by another energy forum of how much they pay a month, I would have thought they would have spend some of that money on better security. Lets be honest, how many times have they claimed to be hacked in the past…

Never cry wolf, springs to mind.

Delusions of mediocrity

I think it might be time to consider opening an harassment case with the police.

Why? I mean, maybe… but why? I remember when I was at uni, one night someone said something about someone else on IRC and the next moment the one guy showed up at the res of the other, demanding a physical confrontation. And I remember thinking… wow… that is so childish. Over stuff said on the internet? Pfffft. You think the police knows even half of what is needed to pursue such a case?

I’m going to look into this a bit more merely because I am curious. There’s going to be a pattern somewhere.

I mean this hack is as old as the mountains. This hack where you first obtain FTP access, then upload a .htaccess file. I remember having a site of mine hacked like this back in 2004!

those IP’s are TOR IP’s.

“Feels like” it is internally orchestrated by a member, The powers to be does not know how to create this little “spot o bother.” Probably the last one where someone had a super It hacker brother.

Start with a real legal letter asking them to stop this, it is defamation and false accusations. Every good IT lawyer will know how it works in the law.

Know for a fact that some people get really panicky and seriously stressed, so go fully legal. Don’t fake it.

If the opposing council then gets the letter and sees the “evidence”, a good lawyer would tell his client, you better stop this … you are going to lose.

If the client insists, a damn good lawyer will then say … ok then, put down this deposit. We start there, when that is used up, we should be kinda halfway, the next deposit will be required.

… people tend to go weak in the knees at that number and walk away.

If they still insist … when that 2nd deposit becomes due … they slither away.

Maybe, with the letter, ask who sent the WA, this and the last one. I recall the writer previously mentioning a friend/brother who “investigated” it for them then. Would blow me down if they are that stupid, this guy telling them HOW to fake it.

My 2 cents.

How do you know? I mean, honestly, I’d love to know how you know.

The reason for looking into the IP addresses in the log file. The attacker may have tested his hack to make sure it works. It’s a very common and very human thing to do. I’ve been whois-ing most of them, they seem to be all over the place, Vox Telecom, Afrihost, Telkom mobile. One, interestingly, is Amazon AWS.

Cross-referencing user agents doesn’t really give any info.

Either way. There is no evidence it was anyone of us. Because we didn’t do it. What would our motive be?

I mean, they could have at least used chatGPT to sound more convincing.

So hopefully the fact that I only vaguely started understanding what this is about after reading Izak’s posts hopefully means that I couldn’t inadvertently have done this.

Do I understand correctly that someone hacked “the other site”’s server and inserted a script that, for a few minutes, could cause you to be redirectly to this forum, should you try to access “the other site”’s website? But also that the resultant redirection would have been cached and therefore some browsers would remember to be redirected in the future?

And that hack came from IPs all over the world?

If so, why was the script only in place for a few minutes? Did the hacker remove it again or did “the other site”’s admins pick it up and removed it themselves? Seems a bit suspicious to me.

I would suggest to use Telegram for comms like this, any one can read on here. No need to inform them of what you are doing.

Groetnis

I honestly can’t think of a single reason why anyone on here would even try to divert traffic to our site?
We don’t even sell memberships or run AdSense.

The whole thing sounds very suspect to me.

This isn’t how healthy people do things. Clearly there is some delusion at play here.

We can talk about specific and lawyers for days, but the short answer is this:

This person isn’t reasonable and anything and everything will just be more fire for their delusion.

Opening an harassment case calls a spade a spade – this person is harassing other people, and that is a crime.

If their cPanel is connected to their site you will be able to access the DNS records by hacking them. Other sites run as a virtule server and the DNS records is stored with a “third party” hosting company. In that case hacking the server will not give you access to the DNS records and you have to hack the hosting company’s cPanel to access and change the records.

@plonkster can give the correct terminology… I gave the layman’s explination.

I am looking into this and would do what I can to stop it. It’s almost three years that we are running gour own thing, and they keep on returning with their nonsense… Everytime out of the blue.

HI Sarel, I understand what you are saying, but I chose to have this in the open and investigate this myself. The powers to be needs to understand I will not take this harrassment anymore. I want to get to the bottom of this and expose whatever there is to expose… And I am not afraid to do so as I have nothing to hide.

Clearly understood. The legal system locally is not fair no more, sadly… Currently in some legal wranglings in court. Do not give away what your plans are, or how you want to tackle this, just my advice.

Groetnis

My last say on this before I go to the Solar Show for today.

Last night I opened my whatsapp on my PC, to screenshot and forward the messages to someone to look into it and guess what I found. This is after I thanked them for the supplied IP addresses, and informing them that i would do my own investigation and make my findings public…

PowerForum21255×881 192 KB

All their messages were deleted… Why?

Luckily I have made screenshots from the phone before this happened.