Like said before, these images are REAL images. If you open 'em in IE you get an image. It looks like nothing, but it's an image. The header is correct, everything looks ok, so there's no software in the world that will detect it as Warez... that's why we're trying to find a good alternative for this so the warez programs can't use the data anymore

zubr,

contact me on icq - maybe we can help you

Hun, I know it's hard to manage. Lot's of warez gets uploaded overnight and I try my best to nuke it all. (Lot's of manual work)


Oh, did you get e-mail from Parney G?

Then there must be some zip/rar header in it aswell ? You can search for this header type and then nuke it ...
How is the youngest Hun ? Growing up a bit ?

Thats not true though.... i have a solution for that problem already - its just a simple perl scirpt that determines whether that image is accompanied by warez.

If you take some "random" data which could be either image data or part of a program, and the create a header for a JPEG file which would hold the exact information to go with the data it would show in an image viewer as a bunch of garbage, but it has all signs of an image. I don't think a PERL script would be able to detect such a file. Maybe it's an idea for one of the free host operators to post one of those JPEGS here so people can have a go at it. I think we all want to get down cheaters

here's a url, but you have to paste it into browser in a new window, because of my htacess restrictions.

http://adultprohost.com/kkohm/a1376/a13760507.gif

See, the file is 69 kb, and the pic is only 32x32.... Thats how my script found it, the ratio of file size and dimensions was way off

The biggest problems with this stuff is one imagic magic is VERY slow at recompressing. We tried it and it was way to slow to be usable on a decient size freehost. Also the images actually crash image magick alot of the time.


The images can be real small images with garbage attached on the end, or very large images. We have seen both. Also they can be in gifs or jpegs.


btw the compressing at 99.9% would actually increase the size of all your other images, so thats not a good idea :)

Amazing how that image looks, beeing a warez file.
Do you know that you can prevent all imgs to be directly accessed ?
They will be visible only on an html page.
I'd like to see who has the patience to download all the files one by one

how would you do that?

referal check?

Alright.. if someone knows of a module for pro_ftpd that allows you to run an executable after certain filetypes are uploaded (or for every upload), I will post a solution that strips warez from files as they are uploaded.

I'm still looking for a better solution, but this will solve 90% of the problem for most hosts.

there's no proftpd module, but there's another way to do it. You simply use "Custom Log" into some file which will record all filenames uploaded, and then run a routine script on it - thats atleast the way i do it :)

adultwire, could you just post the solution then we can figure out the best way to impliment it? monitor log files seems fine to me. maybe someone could offer a modified wuftpd or something... whatever.

yeah, adultwire, what do you got there?

interesting thread. detecting steganographic messages in images. does this help http://www.outguess.org/detection.php ?

cheers

DrGuile: using mod_rewrite (if your webserver is apache)

I would imagine that these warez tools can spoof the http_user_agent and http_referer fields; mod_rewrite is probably not a solution (but I've never seen one of these programs).

cheers

somebody has noticed here that they know what the http_user_agent values are for that software, but they didnt say exactly what

Hey, if anyone could contact me regarding a solution for this I'd appreciate it.

Email or ICQ works.. matt @ nysus.com or 129060301

Cheers,
Matt

Hehe dork, of course they are hotlink protected.. the utility is its own web browser that downloads all the images.

Sorry.. I had to split for a while.. I have some work to finish, and then I'll post my make-shift solution.

We'll be waiting! :)

yeah, I am glad people are willing to share ideas to stop cheaters. These warez guys are pretty hooked up. They upload many gigs in 1 night

Shitty.. my solution ended up causing problems with many images.. I think it's time to start coding. I just want to strip the warez in a non-lossy mannar (without changing a single byte of the valid image data) -- this requires parsing the file and rewriting the terminating block at the correct place.

Then I want to compare the filesizes, and if they differ substancially, throw away the file. If they don't, use the stripped one (to save b-width)..

Doesn't necessarily have to be ZIP/RAR, and even if it was, the archive can be split into several parts, and reassembled, the header doesn't matter. You can split the header into 15 million files, but when you reassemble that multitude of files, you still have a valid header, see?

could someone who has some of these files post links to a few more gifs and jpegs? I saw the one gif posted earlier. That gif seemed to be identifiable as not being a valid image.

cheers

http://www.greenapple.verisexy.net/wezgina/
http://www.greenapple.verisexy.net/salamba/


Are these the type of files you guys are talking about? Looks, so weird by the way they are names and no sponsors or anything =/ I will trying to find more and post them when I do so people can see examples.

If you need a bit of help, let me know...

That looks exactly like a recent user on my freehost. Exactly. Different file names, and the pics were asian, but the "Welcome to xxxxxx's Web Site", followed by the centered line of small images. Deleted his account after reading this thread.

why would they use host for warez in the first place? isnt it easier to just get it off kazaa?

You can't move ZIPs and RARs around on KaZaA (i think), two, that would require someone volunteering to dedicate their bandwidth to little .jp punks downloading warez all day, haven't you ever heard of freeloading at someone else's cost?

User agent is spoofed from a list of user agents, and the referer is spoofed depending on the client, some do the actual HTML file, others do "index.html", others just use the server host, so blocking by those two variables are not really solutions.

AdultWire - proftpd can use mod_autorun to run a script after upload...

Warez in files - Yeah... I've been noticing these bad boys for a while... my gif/jpg detection scripts aren't able to nail em either, grumble grumble...

Ahhh jesus.. freehosting just isn't as fun as it was back in 99 ;)

-- kevin
-- adultserver.com

Shit.. I'm in meetings all day today.. so again, not much time to work on this.. But if anyone knows how to code, I think GIF's should be relatively easy to do without losing any data. You need to read the header for the size of the image, and then unpack lzw blocks until you've filled up the bitmap area with data. Then, discard any remaining blocks and write a header.

At least, this should work for 87a's, but probably not 89a's.

With jpeg's, if you don't mind a slightly lossy method, nconvert will do the trick.

The whole shebang can be glued together with mod_autorun, and that should be a working solution.

I hope I get some time this evening and maybe we can fill in the rest of the blanks.

if mod_autorun requests a script every time a file is uploaded, it may become quiet resource consuming.... there should be some other solution like custom log, and scheduled script execution

for as much as people who don't use kazaa seem to think it's a freeloaders dream and is an eazy way out for surfers, it's really not that great. i would say 70% of transfers you try and initiate don't actually work, most of them sit on 'remotely queued' and 'connecting' and whatever forever. most of the files you do actually manage to transfer are slooooow. if you get a 20KB/s transfer you're praising jesus. this goes for any type of file, movies, mp3s, pdfs (e-books), etc. it really sucks. same way with the gnutella clients. nothing has come even close to touching napster since it croaked. i'm sure we'll see more and more stuff liek this as peoples options dwindle: http://www.vnunet.com/News/1132038 (kazaa going OOB)

mod_autorun is hardly resource consuming... I get what you're saying, but trust me when I tell you the load difference from this to a scheduled event will be negligable, and this solves the problem before it can become one.

Heh, hey kev you may want to change your signature line. :1orglaugh

Spanky, yes that helps a lot; thank you.

All: As Spanky referenced, there is a utility called STEGDETECT that may help us out. I just downloaded it and did a preliminary test, with positive results.

STEGDETECT tests if information has been embedded in files using jsteg/outguess/jphide/invisible secrets(wtf?)/F5/camouflage/or appendX. Here are my initial findings:

STEGDETECT run on a normal JPG file that has not been embedded:

[root@SERVER_3 munimuni]# stegdetect 11544r033.jpg
11544r033.jpg : negative

STEGDETECT run on a JPG file that has been embedded

[root@SERVER_3 munimuni]# stegdetect Kurumi01_3204.jpg
Kurumi01_3204.jpg : jphide(***) appended(560)<[random][data][7|FG7.w.P=...x.J]>