PLEASE help asap, cheater question!

[greedinc]

Okay, heres the situation, I'm going mad, guys are taking my site, using the following object tag and placing it on high traffic sites. I need to know asap how I can prevent this from happening, and prevent that counting as that page loading. Theres got to be some way to do this or to detect if the object tag is being used, I know if anyone will know you guys will know...

OBJECT data="http://www.yourwebsite.com/" HEIGHT=1 WIDTH=1 VSPACE=1 HSPACE=1>
/OBJECT>


Thanks so much guys, i'm going crazy,
C.

[Fletch XXX]

uh oh.

Patrick?

[Tipsy]

Quote:

Originally posted by Equinox
Patrick?

I was thinking that too. :D

[Tipsy]

Never mind how to stop it - we want to know why they're doing it. We need the drama!

[Fletch XXX]

why are they doing it?

hehe

[Fletch XXX]

better yet, <i>who</i> is doing it?

heheh

[Tipsy]

And are they bigger than you. Better still is their dad bigger than your dad. We need details!

[greedinc]

It's one of my mainstream sites, not adult, huge site, tons of people love it, a few people hate it (as always), jealous people, assholes, what have you. So just recently this new object code starts being used and its the most annoying thing I've seen yet, and I cant figure out for the life of me a way to fix this but it's being used by a LOT of people.

If I'm fucked and theres nothing I can do about it, be straight forward about it and just give me the bad news, but if anyone knows of anything at all, please help me out here.

C.

[greedinc]

bump...

Contact his host, and tell them to shut him down for illegal activity.
That's about the only thing I can think of.

[greedinc]

Quote:

Originally posted by Equinox
Contact his host, and tell them to shut him down for illegal activity.
That's about the only thing I can think of.

thats fine, but the problem is there's currently more than a few hundred websites doing this to us, and we only know of a tiny percentage of them. alot are on free hosts, while some are big traffic sites. can anyone help or give advice even?

i'm dying here...
C.

[LiveDose]

So tell us what did you do to piss off so many. What's the URL?

[Theo]

Quote:

Originally posted by greedinc


thats fine, but the problem is there's currently more than a few hundred websites doing this to us, and we only know of a tiny percentage of them. alot are on free hosts, while some are big traffic sites. can anyone help or give advice even?

i'm dying here...
C.

wtf did you do bro to have 100s websites iframing you? Don't tell me they just don't like your site

[greedinc]

Quote:

Originally posted by Soul_Rebel


wtf did you do bro to have 100s websites iframing you? Don't tell me they just don't like your site

not iframing man, my guys found a way to prevent against tracking the iframe exploit about a month ago, because that was the last big thing, its this new "object" one thats really fucking with me this time around...

[greedinc]

bump, is there no answer on this or way of dealing with this?

[Theo]

your enemies sound dedicated on what they do....Maybe some of the admins that post here will be able to help.

[greedinc]

what im more concerned about, and maybe this will help you guys comeup with an answer... i'm not concerned that much with them using the code and pulling my site. all i really want to know is how to tell that its a real visitor hitting the page, and not a user on a page with an "object" tag embeded into it. i know a way must exist, especially with hitbot prevention and things like that...

anyone???

[MattO]

One thing that you could do that won't neccessarily make it go away, but it would reduce bandwidth is change the exact page that they are loading to something else.
So if your site is index.html, make the index.html as small as possible with an ENTER button to a renamed page with your site on it.
Then you can keep changing the target page real easy and each time, they would have to change all their OBJECT tags and hopefully get sick of doing it.

As far as detecting if it's a surfer or a pulled OBJECT tag, there might be a way to query the CGI.HTTP type shit.
If you run a HTTP-REFER, you could tell where the surfers are coming from, and you could match it against a list of offending sites.

I don't really know that much... just kinda "typing outloud".

[JFPdude]

It's called being image sourced.

You won't find much help on this board to prevent it because it will attract cheaters like cockroaches.

Most mainstream admins won't know how to prevent it because they have probably never seen it before.

My advice: Stop pissing people off so that they won't image source you.

and 2: Hire an admin that can keep you out of trouble if you can't keep yourself out of trouble.

Good Luck

[grumpy]

Its easy but im not gonna tell you because you wont tell us where and why

[XXXManager]

1. I cant see why hundrads of site would do that to you if they were not hosted by the same guys.
2. EVEN if hundrads of sites do that to you, probably most of them do not have traffic. So it shouldn't hurt you and therefore not a problem.
3. IF hundrads of site with a lot of traffic do that to you that means you pissed alot of different people cause its not probable that one person with hundrads of sites which all are big is attacking you like that.
4. If 3 is indeed the case, take action against this person. Alot of time, if its one person, the different sites are all hosted in the same place, or few different places.

IN ANY CASE, redirect the hit back to the referrer from all the sites that do that to you. You can do that with mod_rewrite and RewriteMap.
WARNING: Make sure that the sites (the hundrads you list there) are indeed hitting you, so you don't hit back on innocent sites.
Recommendtion: start from the bigger ones so your immediate problem is fixed fast.

[EscortBiz]

What type of site, whats the URL im nosey

[greedinc]

Quote:

Originally posted by EscortBiz
What type of site, whats the URL im nosey

Yea, I'm constantly asked, and i apologize, but I keep pretty well quiet for the most part when it comes to that kind of stuff and but a handful of people on this board have any idea as to what i own, sorry guys, I do appreciate all the help, comments and suggestions though, you guys are always awesome when it comes to lending a quick hand.

I will tell you though that its not us, or our sites "pissing off" people, what happens is we find cheaters, or hackers, or spammers, and we ban them from our network, and they retaliate by doing things like this as well as constant DOS attacks and things of that nature. Which, we have measures in place to take care of just about anything but the object code is new news to us and we're just now trying to figure out how to deal with it. The site gets a around 50,000 + signups a day and we ban quite a few guys everyday, so we've built up quite a good group of guys that have nothing better to do than try and hack and take down our network.

Grumpy - If you actually genuinely have a clue as to how to help me on this and it is that "easy" then please email me and I will gladly speak with you if you'd be willing to help me out and I would certainly owe you.

Night guys,
C.

[lustbin]

if you're using apache, and if i remember right....

put this into an .htaccess file in the root

SetEnvIfNoCase Referer "^http://offending\.domain\.com/" bad_ref=1
Order Deny,Allow
Deny from env=bad_ref

replace offending.domaim.com with the domain hosting the object tag in their page. make sure you notate dots as \. and preserve the ^

this will block any hits with them as the referer.

hope that works for you.

`lb

ps. apache people does that sound right?

Quote:

Originally posted by greedinc


Yea, I'm constantly asked, and i apologize, but I keep pretty well quiet for the most part when it comes to that kind of stuff and but a handful of people on this board have any idea as to what i own, sorry guys, I do appreciate all the help, comments and suggestions though, you guys are always awesome when it comes to lending a quick hand.

I will tell you though that its not us, or our sites "pissing off" people, what happens is we find cheaters, or hackers, or spammers, and we ban them from our network, and they retaliate by doing things like this as well as constant DOS attacks and things of that nature. Which, we have measures in place to take care of just about anything but the object code is new news to us and we're just now trying to figure out how to deal with it. The site gets a around 50,000 + signups a day and we ban quite a few guys everyday, so we've built up quite a good group of guys that have nothing better to do than try and hack and take down our network.

Grumpy - If you actually genuinely have a clue as to how to help me on this and it is that "easy" then please email me and I will gladly speak with you if you'd be willing to help me out and I would certainly owe you.

Night guys,
C.

[Nbritte]

well you could just take the page they are hitting and remove all the html but a link to an alternate page then use
&lt script src="site url" language=something>&lt/script
if you only have a small page and it creates a loop (not sure if it will but it might) then both sites get hit hard with hits but you use less bandwidth.

Nbritt

[XXXManager]

Quote:

Originally posted by lustbin
if you're using apache, and if i remember right....
put this into an .htaccess file in the root
SetEnvIfNoCase Referer "^http://offending\.domain\.com/" bad_ref=1
Order Deny,Allow
Deny from env=bad_ref
ps. apache people does that sound right?

Nope. It will not be efficient and will not work really..
See what I suggested above and what greedinc wrote. He has hundrads of attacking domains (which sounds strange to me but anyway).. therefore what you wrote wont help him.

greedinc: I don't know why I am helping you with this since you are "saying" you are attacked by bad guys BUT you are not willing to say which URLs the attackers use and which URLs of yours they attack. I don't understand what you have to hide it you claim to be a legit player. Can you explain? Are you doing CP or other illegal stuff??
Well, I guess I am helping you because you MIGHT be telling the truth in a way and for the chance that this is the case - I am willing to help.

If you have 100s of domains attacking do this...
Create a map file with pairs of the attacking domains and the word NWJ (acronyms of "No Way Jose") ;)
like that...
http://www.attacker1.com NWJ
http://www.attacker2.com NWJ
etc..

Enable mod_rewrite it its not yet enabled on your webserver.
Set a "RewriteMap NWJMap txt:/path/to/NWJ.dat"

break down the %{HTTP_REFERER} with a REGEXP rewrite condition and get the first part up to the THIRD backslash (Not including) leaving you with the http://......com in $1

Do a "RewriteCond ${NWJMap:$1} ^NWJ$"

Do a rewrite rule to http:// so that the client will show 404 for the onject.

- Paypal donations will not be met with resistance LOL

I redraw from my prior suggestion. do NOT, I repeat - NOT, send the hit back to the attacker.
For 3 reasons:
1. The attacker/s can redirect the rediretion BACK to you and so you will be damaged once again
2. It is illegal - even when he attacks you
3. The attacker/s might be using a third party system or a free host - in that case you will be attacking that system and you will damage innocent people.
Do NOT redirect traffic back to the attackers!!

Hope it helps

[XXXManager]

Quote:

Originally posted by Nbritte
well you could just take the page they are hitting and remove all the html but a link to an alternate page then use
&lt script src="site url" language=something>&lt/script
if you only have a small page and it creates a loop (not sure if it will but it might) then both sites get hit hard with hits but you use less bandwidth.
Nbritt

Hmm... What good is this??
The problem with the attack is hardly the BW or the size of the page. Its the process Apache creates for the serving of the page.
Your solution will not help at all for that problem.
saying the truth, my solution will not solve everything as well, but just half of the problem
Also - call to the server from an OBJECT does NOT run the JS and will not create a loop no matter what - so I dont see what you mean.

A solution to the httpd process creation is using a reverse proxy. That will expedite the creation of the responder by using threads instead of processes.
Using something like Squid in a rev-proxy/web-accelerator is a good choice

[XXXManager]

BTW - greedinc
It seems strange to me...
Your attackers are amateurs and newbies. They are hardly hackers.
If they were smart they would be using spoofed IPs through loose source routing and fake packet parameters as well as manipulated protocol parameters and fake referer.
Since no newbie know what that means - its not really dangerous to say what I just did

DIE CHEATERS DIE

[greedinc]

Quote:

Originally posted by XXXManager


greedinc: I don't know why I am helping you with this since you are "saying" you are attacked by bad guys BUT you are not willing to say which URLs the attackers use and which URLs of yours they attack. I don't understand what you have to hide it you claim to be a legit player. Can you explain? Are you doing CP or other illegal stuff??
Well, I guess I am helping you because you MIGHT be telling the truth in a way and for the chance that this is the case - I am willing to help.

Hey man, drop me an email with your aim s/n or icq #, thanks a ton for the help, we can chat, and i can redeem myself and let you check out some of my mainstream sites, so i'm not accused of CP or other crazy shit, haha, jeez man...

Take it easy, and thanks again,
C.

[Nbritte]

Quote:

Originally posted by XXXManager

Hmm... What good is this??
The problem with the attack is hardly the BW or the size of the page. Its the process Apache creates for the serving of the page.
Your solution will not help at all for that problem.
saying the truth, my solution will not solve everything as well, but just half of the problem
Also - call to the server from an OBJECT does NOT run the JS and will not create a loop no matter what - so I dont see what you mean.

A solution to the httpd process creation is using a reverse proxy. That will expedite the creation of the responder by using threads instead of processes.
Using something like Squid in a rev-proxy/web-accelerator is a good choice

Ok I will take your word it would not work like I said I didnt know if it would or not. I t was just a thouhgt and I have lots of them just not always good ones

Nbritt