# So, what's going on with the Replica Prop Forums?



## Commander Dan (Mar 22, 2001)

I hope discussion of competing forums outside of hobbytalk is not forbidden, but at both www.thereplicapropforum.com and at www.facebook.com/therpf there is talk of www.therpf.com being hacked and stolen by Russian hackers.

Anyone know the details of what's going on and when this happened?


----------



## robiwon (Oct 20, 2006)

This is true. The domain name was stolen from GoDaddy by a Russian hacker and is basicaly holding the name ransom. He has set up a fake site using the stolen name. DO NOT GO TO therpf_ dot _com. It will take you to the fake site. Go to http://www.thereplicapropforum.com/ is the real site. You can read all the details about it there. This all happened a few weeks ago. The correct site has a gold banner over the logo in the upper left corner.


----------



## seaQuest (Jan 12, 2003)

Why would some guy in Russia want that particular site?
It looks like GoDaddy's got some security issues.


----------



## ClubTepes (Jul 31, 2002)

The sad thing is, some people are still posting over there, unaware of the heist.


----------



## swhite228 (Dec 31, 2003)

seaQuest said:


> Why would some guy in Russia want that particular site?
> It looks like GoDaddy's got some security issues.


The site has a large following with a large number of hits each day and generates some easy dollars in ads.

The idea I think is they want Art and company to buy it back from them.


----------



## jheilman (Aug 30, 2001)

The hackers in question have done this before with other sites. They archive the entire site, hack into an admin account, contact the registrar to transfer the domain, then relaunch a copy of the site at the new domain and they have complete control. Then the hope the legit site owners will be so depserate to get the name back, along with ad revenue and search engine placement, that they'll pay for it.


----------



## Maritain (Jan 16, 2008)

jheilman said:


> The hackers in question have done this before with other sites. They archive the entire site, hack into an admin account, contact the registrar to transfer the domain, then relaunch a copy of the site at the new domain and they have complete control. Then the hope the legit site owners will be so depserate to get the name back, along with ad revenue and search engine placement, that they'll pay for it.


But can't the phony site and hackers be traced and the where the money is sent to buy back the site?


----------



## seaQuest (Jan 12, 2003)

Not if they're using a boatload of proxy servers. They would need to hire one of those cybercriminal experts which would not be economically feasible for a small company/community. Their services don't come cheap.


----------



## Maritain (Jan 16, 2008)

seaQuest said:


> Not if they're using a boatload of proxy servers. They would need to hire one of those cybercriminal experts which would not be economically feasible for a small company/community. Their services don't come cheap.


Ouch...so crime does pay.


----------



## jheilman (Aug 30, 2001)

From what we're hearing, being in Russia complicates matters. They know who the hacker is and are mounting a legal battle to regain the domain. As far as recovering damages from this guy, unlikely. One source noted that the guy has done far worse and received a suspended sentence only.


----------



## Edge (Sep 5, 2003)

Thanks for this thread!

I went to the fake site and figured I just couldn't see the details because I didn't have a login.


----------



## Rotwang (May 25, 2011)

What is GoDaddy saying about all this? Could they be held legally liable for this clusterfunk?


----------



## Commander Dan (Mar 22, 2001)

Does anyone know if it's possible to send PMs or emails on the fake site? I have been trying to send warnings to people that have been posting in recent days, but seeing as how I sent several PMs, and then saw an empty outbox, I wonder if PMs have been disabled in some manner...


----------



## robiwon (Oct 20, 2006)

They may have dissabled that function due to the enormous spam attack launched by RPF members on the fake site. Art is doing what he can, legally, to get his domain name back. It wont be cheap and there are few drives on the real site for support of the cause.

Just be awre that if you log into the fake site or join, they will have all of your contact info and passwords. If you are a member of the RPF change your password on the real site. You can not go to the fake site and clear anything that is there because they just reboot the site with a back up from when it was originally hacked. It's best to just stay away from the fake site altogether, IMO.


----------



## jheilman (Aug 30, 2001)

As of last night, PMs still worked on the fake site. There is a pretty organized group that take shifts to PM all legit users who unknowingly post on the fake site. Occasionally, they PM one of the hacker's many sockpuppet accounts and get perma-banned. But, other members are handing over their account info for use in the campaign. 

It really is best to stay off the fake site so those sending PMs will have an easier time rounding up the strays and directing them to the new home. 

If you are a member, it's very important to log on to the Real site and change your password. Also, because passwords on the old site are possibly compromised, if you used that same password anywhere else (email, PayPal, etc.) I'd change it.

The hackers are very industrious in trying to keep up the appearance that the fake site is legit. They've gone so far as to create numerous sockpuppet accounts to add generic replies to threads. I've never seen so many posts from members with nonsense names and total post counts under 5. :tongue:


----------



## starseeker (Feb 1, 2006)

[quote

It really is best to stay off the fake site so those sending PMs will have an easier time rounding up the strays and directing them to the new home. 

If you are a member, it's very important to log on to the Real site and change your password. Also, because passwords on the old site are possibly compromised, if you used that same password anywhere else (email, PayPal, etc.) I'd change it.
[/quote]

I'm curious: how do people know the site you linked to is the real one? There's not a mention of them being hijacked anywhere on that site that I can see, which seems odd. If you log into a compromised site and change your password, how can you be sure that you've not revealed your own password and created a password into a fake site.
One of the best recent hacks into a US massive defense corporation involved the hackers also setting up a fake help desk that concerned users logged into, thereby exposing themselves to worms which compromised the whole corporation. 
The best advice I can think of is for everyone to Stay Away from RPF and do not use or change your passwords or download anything, including photos, nor have contact with anyone at the supposed fake site for any reason (No Emails!!) for any reason whatsoever. 
And if you have been on the RPF site, use at least 3 up-to-date anti-mal-ware programs like MalwareBytes or SuperAntiSpyware and your own anti-virus to give your own systems regular complete scans every week for the next month. 
Stealing RPF for its revenues is probably the least of the reasons the site was taken. All it takes is for one user with sloppy security on their own computer to provide a gateway into their own work site or their own.personal or banking information. Total paranoia: do not open any e mails from anyone on the RPF site unless you can confirm they were really sent from them.


----------



## robiwon (Oct 20, 2006)

robiwon said:


> The correct site has a gold banner over the logo in the upper left corner.


I will quote myself. If the top left corner of the site you go to does not look like this, you are at the fake site.


----------



## kahn1701 (Jul 11, 2005)

*Band LOL*

I was just bane from the hacked therpf site for spreading the news.
I delinted in removing all my post on therpf hacked site and replace it all with the info below..LOL
I rock...Join in the fun y'all...LOL


----------



## Commander Dan (Mar 22, 2001)

Well, the good news is my password I was using on RPF was a password I no longer use anywhere else. I did change that password over at the new alternate RPF site though...

I tried posting on the hacked site to warn others, but was pretty quickly banned. I then re-registered using a freebie email account, and tried to be a bit more subtle in my “warnings,” but apparently I still wasn’t subtle enough, as I was banned once again, and my posts deleted. I tried...

Funny thing is, there are a few posts here and there still in place, outright warning others, so it seems those have slipped through the hacker’s fingers...


----------



## Captain April (May 1, 2004)

Makes ya wonder of these hacker clowns really know what they're doing...


----------



## kahn1701 (Jul 11, 2005)

*Hacked again??*

Never mind shes up now..


----------



## starseeker (Feb 1, 2006)

robiwon said:


> I will quote myself. If the top left corner of the site you go to does not look like this, you are at the fake site.


If they can replicate the entire site and take it over, why couldn't they replicate a little gold banner? 

I'll repeat: screwing the rpf site over to get ad revenue is probably the very least of the bad they could do. The worst is getting worms or other malware into the computers of everyone who visits either site and scoring access to their business or personal information. If you absolutely have to visit the rpf site in the next few months, use Boxie or some such sandbox program to ensure that you're safe. And if you have been there, regularly scan you computer with a triumvirate of anti-malware programs. 

Big difference between Hobbytalk and RPF: back when Hobbytalk was being messed with a few weeks ago, it ended up with all kinds of security warnings from Firefox, as well as assurances and constant updates from HT moderators. RPF apparently has been completely compromised and is a huge risk to anyone who interacts with it and the owners haven't shut it down at least temporarily for their members safety. HT was very concerned not only for themselves but also about keeping us safe. Rpf continues to run a "real" site (with a gold banner that no one on earth could possibly replicate??) alongside a fake site and members takes their chances? 

Boxie is free, by the way. So is SuperAntiSpyware and MalWareBytes, among many others.

Edit: Wonder how long before members compromised passwords at rpf give the hackers some HT passwords. Could HT be next? Just another reason to practice safe computing.


----------



## jheilman (Aug 30, 2001)

Sure they could replicate the gold banner. That's why you need to verify you are using the correct url of thereplicapropforum.com and NOT therpf.com. 

The admins immediately sent an email warning to all members after the hack was discovered. They have sent 3 emails to members keeping them updated. And, if you log in to the real site and look at the OT forum, you will see a 146-page thread detailing EVERY detail of the hack and how members have banded together to rescue those who were not aware of the issue. For independent proof, look for "RPF hacked" through google, check out thereplicapropforum's twitter, facebook, youtube, etc. Also, Art Andrews (RPF Admin) says to check out his personal facebook page as another source of official info. 

Yes, avoid therpf.com like the plague, take enough security measures with your personal data, but don't punish the legitimate site that is the victim in this attack. They are working hard through legal channels to right this wrong.


----------



## starseeker (Feb 1, 2006)

I'm a registered rpf'er, tho' for the last couple of years I only lurk once or twice a month to see if anything is new. Last time I was there was only a week or 10 days ago. Wonder if it was the real site? I haven't received any emails from them during any of this. HT is the only source I have for any of this.
Interesting thread here:
http://css-tricks.com/this-sites-domain-is-stolen/
Sounds like GoDaddy is as much of the problem as anything else.


----------



## robiwon (Oct 20, 2006)

If you went to the url that has been stated is the real site, then yes, you were at the real site. There are greater security measures on the temporary site and is not hosted by GoDaddy. The fake site is not going to have any info on the hack except our repeated spam attacks of the fake site. The real site you will find the very detailed thread on what happened. When the spam gets bad at the fake site the hacker just reboots the site from back in December when he snagged it from Godaddy. All new posts are gone and many real RPF members are banned.

Your safe if you go to the link posted above. Stay away from the fake site.


----------



## jheilman (Aug 30, 2001)

Research after the fact revealed that many members had their accounts set up to NOT receive admin emails. I believe, at least temporarily, they have set all accounts on the new site to receive admin notices to keep up to date on things.


----------



## jheilman (Aug 30, 2001)

starseeker said:


> Interesting thread here:
> http://css-tricks.com/this-sites-domain-is-stolen/
> Sounds like GoDaddy is as much of the problem as anything else.


That's similar to what happened to the rpf as far as locking out the owner and transferring the domain without their knowledge. But, in the case of the rpf, the hacker found an unexpected weakness and exploited it. In a very real sense, he did not hack the site. He found passwords and used them. And, Art is very clear that despite less-than-helpful customer service, godaddy is not at fault here. The thief performed all the correct steps for a domain transfer using his stolen ID.


----------



## robiwon (Oct 20, 2006)

Except that godaddy did not contact Art to confirm and transfered the account after 10 days to my understanding.


----------



## jheilman (Aug 30, 2001)

They did not contact Art via telephone. But, the hacker did respond to emails from godaddy and then deleted them before Art saw them. So, yes, maybe their transfer policy should have a couple more layers to it. :thumbsup:


----------



## terryr (Feb 11, 2001)

The Hacker got into the owners gmail and diverted emails from godaddy. So he never got any mail from them. To godaddy it seemed like a normal transfer of domain. [godaddy was pro SOPA, but doesn't care that his site got stolen. funny] Gmail is easy to hack from what others have said.
The owner also happened to send his passwords in an email. So now the hacker could get into the RPF and put in a rootkit.

Many members went to the fake site and emailed everyone many times. Many thought the emails were to the fake site and wouldn't change. A few finally did and whined 'why didn't you tell me?!'

Some members also created chaos at the fake site, POed the hacker and he used the rootkit at the real site to delete the members just for spite. This was their plan, and they now saw where the rootkit was and eliminated it.

Now the lawyers are stepping in.

This thread should be in general /movie talk.


----------



## d_jedi1 (Jan 20, 2007)

I started a thread about this a while back.. I think I posted it in "other hobbies" since I wasn't exactly sure where it should go.
One quick thing that I'll note, if you DO go to the old (stolen) url then you should make certain that you run a good virus scan afterwards. 
I was one of the ones spamming the site after the attack and every time I went, I ran a virus scan and it DID find stuff coming in from the ads there. 
Anyway, when we spammed it, we'd go until we got banned, at first "adminds" as he was calling himself, would reset the site to a previous date which un-banned us. Eventually he got wise to that and stopped.
Someone(ones?) managed to gain his trust and became mods, when he went offline, they unbanned us all and it was on again. :thumbsup:
I think I've been banned on the fake site like five times now. Still banned but who cares? My account on www.thereplicapropforum.com is still fine.


----------



## d_jedi1 (Jan 20, 2007)

The domain has been returned, the site will be returning.
Art posted this today.


----------



## Lloyd Collins (Sep 25, 2004)

Until the next time......


----------



## robiwon (Oct 20, 2006)

Thanks d_jedi1, I hadn't gotten over here to post that yet. Definately a great day on the RPF. Steps have been taken so it wont be as easy next time if someone tries again.


----------



## Captain April (May 1, 2004)

That's good to know.


----------



## Dyonisis (Nov 11, 2009)

d_jedi1 said:


> Anyway, when we spammed it, we'd go until we got banned, at first "adminds" as he was calling himself, would reset the site to a previous date which un-banned us. Eventually he got wise to that and stopped.
> Someone(ones?) managed to gain his trust and became mods, when he went offline, they unbanned us all and it was on again. :thumbsup:
> .


 That was stupid - wasn't it?


----------

