[15:06:21] <snitch>	 [[Tech]]; Mbruno946; /* Air manager 4 program */ new section; https://meta.wikimedia.org/w/index.php?diff=22081151&oldid=22063946&rcid=20005521
[15:09:27] <snitch>	 [[Tech]]; RhinosF1; Reverted good faith edits by [[Special:Contributions/Mbruno946|Mbruno946]] ([[User talk:Mbruno946|talk]]): Not wikimedia relaed ([[User:Xiplus/Twinkle|GTW]]); https://meta.wikimedia.org/w/index.php?diff=22081153&oldid=22081151&rcid=20005523
[23:21:32] <perryprog>	 Hi—I got a super odd report of a website of questionable intent that seems to be either weirdly or badly spoofing enwiki. I'm bringing it up here because it's technically interesting, and I'm also curious if it's worth forwarding to a WMF-person as I'm unsure if the domain it's hosted on is very legitimate due to the similarity to Wikipedia's own.
[23:22:23] <perryprog>	 So! The site itself is here: https://en.m.wikpideia.org/wiki/Lemon . The weird thing about it is it /almost/ always 302 redirects you to the "real" mobile enwiki mainpage.
[23:23:19] <perryprog>	 The only circumstance I've found is by using a specific session token for the PHPSESSID cookie. If it's set, you aren't redirected and are instead put on... the weirdest mirror/spoof of Wikipedia ever.
[23:25:32] <perryprog>	 Essentially it seems to have a wrapper script that runs some odd JS that does some text modification to the body of the article. On the above link, it changes the lede to be "The Lemon (Numerous limon) Is a Suggested Of small Constantly Tree in the Advantages plant Advantages Different, Effectively to Asia, Advantages Effectively India (Assam), Effectively numerous or China.[2]"
[23:27:08] <AntiComposite>	 weird
[23:27:49] <perryprog>	 Also worth noting—the session token that previously worked for "making" the site load no longer works, so I have no clue as to how to get the non-redirect version of this site. I do have a saved version of when it was working, of course.
[23:28:28] <Reedy>	 We can report it as a spoof site/trademark abuse
[23:28:49] <perryprog>	 Cool. That's kinda what I was hoping for. 
[23:28:57] <perryprog>	 Since it doesn't seem to have anything private: https://gist.github.com/perryprog/1b7ad781bcbbad3b8adb53a03330764e
[23:29:13] <AntiComposite>	 legal-tm-vio@wikimedia.org is the address for that
[23:29:21] <Reedy>	 ^
[23:29:29] <Reedy>	 You can report it yourself if you want
[23:30:30] <perryprog>	 That sounds good to me. I'll wait a bit first—I'm curious if anyone else can figure out what's going on here too, as I'm mildly stumped as to what it's supposed to be doing.
[23:30:50] <AntiComposite>	 hosted on DigitalOcean, domain from Namecheap with WHOIS privacy on
[23:31:01] <perryprog>	 yup
[23:31:08] <perryprog>	 And TLS is through letsencrypt
[23:31:55] <perryprog>	 Also the server is Apache.
[23:34:50] <AntiComposite>	 parser timestamp for that page is 2021-09-23 15:53:10, so it's fairly new, but the domain's been registered since 2013 updated 2021-09-16
[23:35:38] <perryprog>	 Looks like only certain pages redirect. The static assets are live for me: https://en.m.wikpideia.org/wiki/assets/style.css
[23:42:50] <Reedy>	 https://gist.github.com/perryprog/1b7ad781bcbbad3b8adb53a03330764e#file-fakesite-html-L14-L24
[23:49:17] <perryprog>	 That's really really weird
[23:49:45] <perryprog>	 I would say this looks like an innocuous "learning about JS" thing but that snippet doesn't match that thought.
[23:50:38] <perryprog>	 Or maybe it is. Who knows. It is certainly a trademark violation either way from what I understand.
[23:52:37] <Dragonfly6-7>	 is there a login form?
[23:52:43] <Dragonfly6-7>	 er
[23:52:46] <Dragonfly6-7>	 vocabulary
[23:52:57] <Dragonfly6-7>	 is there an attempt to capture login credentials thing
[23:54:37] <perryprog>	 None that I saw, but it's impossible to say for sure if I can't even load the site anymore