Protecting sites using other than HTaccess - GoFuckYourself.com

FreeNetPass Steve · 07-13-2002, 10:12 AM

Is there an alternative way to htaccess to protect a members are of a site? I saw a script once and it used some other code. Maybe it was an .htaccess but used different code other than the mod rewrite.

Any ideas?

Terenzo · 07-13-2002, 10:17 AM

i dont know if this is a smart thing, but what we are doing is serving the shit out of a root dir, protecting with php-session-management.... whenever some fraud is done, we use a dynamic .htaccess file for blocking and redirecting the ip.... i really don't know, though.

i am interessed in other alternatives, too.

why dont you want to use .htaccess? aol problems?

pr0 · 07-13-2002, 10:51 AM

this information & more will be available at http://www.pr0.net in the next few months, so be looking out for it

zip · 07-13-2002, 11:14 AM

Try this, is a combo between htaccess and php

PHP Code:


			
<?php 

$leechpage = ""; 



refferers urls ook toegestaan (zonder [url]http://[/url]) 

    $domein["0"] = "localhost"; 

    $domein["1"] = "127.0.0.1"; 



    $folder["0"] = "down/loads"; 



idl=mijnfolder&idf=filevoorjou.exe">file voor jou</a> 



// THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED 

// WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 

// OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 

// DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR 

// ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 

// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 

// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF 

// USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 

// ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 

// OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 

// OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 

// SUCH DAMAGE. 

// 



$versienumm = "<center style=\"font-family:arial\"><b>FW-ANTILEECH</b><br>Build:  1.32 "; 

<p><b>FILE REQUEST DENIED</b></p></center>"; 

    if (!isset($HTTP_REFERER)) { 

        if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['HTTP_REFERER'])) { 

            $HTTP_REFERER = $HTTP_SERVER_VARS['HTTP_REFERER']; } } 

    if (!isset($idf)) { if (isset($HTTP_GET_VARS['idf'])) { $idf = $HTTP_GET_VARS['idf']; } } 



    if (isset($idf)) { $idf = stripslashes($idf); $idf = urldecode($idf); htmlentities($idf, ENT_QUOTES); 

        $idf = preg_replace('/([;\:,`\'\\\|"* !+=?~#%&<>^\/\(\)\[\]\{\}\$\n\r])/',"", $idf); $idf = ereg_replace('\.\.', '', $idf); }     

    if (!isset($idl)) { if (isset($HTTP_GET_VARS['idl'])) { $idl = $HTTP_GET_VARS['idl']; } } 





    if (isset($idl)) { $idl = stripslashes($idl); $idl = urldecode($idl); htmlentities($idl, ENT_QUOTES); 

        $idl = preg_replace('/([;\:,.`\'\\\|"* !+=?~#%&<>^\/\(\)\[\]\{\}\$\n\r])/',"", $idl); $idl = ereg_replace('\.\.', '', $idl); } 

    if (!empty($domein) && isset($HTTP_REFERER) && isset($idf)) { 

        if (ereg("//",$HTTP_REFERER)) { list($begone1,$refoke) = split('//', $HTTP_REFERER, 2); } 

        else { $refoke = $HTTP_REFERER; } 

        if (ereg("/",$domein[0])) { list($domain,$begone2) = split('/', $domein[0], 2); } 

        else { $domain = $domein[0]; } 

        $a = count($domein); 

        for ($i = 0; $i < $a; $i++) { 





            if (eregi($domein[$i],$refoke)) { 



                if (isset($idl) && isset($folder[$idl])) { 

                    if (ereg("//",$folder[$idl])) { 

                        list($begone3,$domwww) = split('//', $folder[$idl], 2); 

                        list($domain,$defolds) = split('/', $domwww, 2); $fileonweb = $defolds."/".$idf; } 

                    else { $fileonweb = $folder[$idl]."/".$idf; } } 

                else { $fileonweb = $folder["0"]."/".$idf; } 

                $fileow = "http://".$domain."/".$fileonweb; 

// open http on loop 

                $id_wi = fsockopen($domain,80); 

                fputs($id_wi,"GET /$fileonweb HTTP/1.0\r\nHost: $domain\r\n\r\n");         

                $buff = fgets($id_wi, 1024); 

                fclose($id_wi); 

// on file oke open file 

                if (ereg("HTTP/1.1 200 OK", $buff)) { 

                    $id_wi = fopen($fileow, "r"); 

                    if ($id_wi) { 





                        if (eregi(".htm", $idf)) { $welktype = "text/html"; } 

                        else if (eregi(".html", $idf)) { $welktype = "text/html"; } 

                        else if (eregi(".txt", $idf)) { $welktype = "text/plain"; } 

                        else if (eregi(".jpg", $idf)) { $welktype = "image/jpg"; } 

                        else if (eregi(".gif", $idf)) { $welktype = "image/gif"; } 

                        else if (eregi(".mpeg", $idf)) { $welktype = "audio/mpeg"; } 

                        else if (eregi(".mp3", $idf)) { $welktype = "audio/mpeg"; } 

                        else if (eregi(".doc", $idf)) { $welktype = "application/msword"; } 

                        else if (eregi(".rtf", $idf)) { $welktype = "application/msword"; } 

                        else if (eregi(".zip", $idf)) { $welktype = "application/x-zip-compressed"; } 

                        else if (eregi(".exe", $idf)) { $welktype = "application/x-msdownload"; } 

                        else if (eregi(".pdf", $idf)) { $welktype = "application/pdf"; } 

                        else { $welktype = "application/octet-stream"; } 

                        Header("Content-Type: $welktype"); 

                        Header("Accept-Ranges: bytes"); 

                        Header("Content-Disposition: ; Filename=$idf"); 

                       readfile($fileow); 

                        fclose($id_wi); 

                        exit; 

                    } 

                } break; 

            } 

        } 

        if ($leechpage != "") { header("Location: $leechpage"); exit; } 

        echo "$versienumm"; exit; } 

// geen referer url - exit of naar antileech.html 

    else { if ($leechpage != "") { header("Location: $leechpage"); } } 

    echo "$versienumm"; exit; 

?> 



-------------------- 

htaccess file in dir. 

-------------------- 

ErrorDocument 403 /down/leech.html 

order deny,allow 

deny from all 

allow from 127.0.0.1 

allow from .localhost 

<Files .htaccess> 

order allow,deny 

deny from all 

</Files> 

IndexIgnore *

Paolo · 07-13-2002, 12:09 PM

Here is the big problem with protecting you site.
Most programs give a 403 to the ip that brute forcing you password file.

They love to use ip's that AOL has, because AOL's system is a pile of shit and is easy to abuse

So 403's are fine in most cases except that AOL stores these 403's on there servers and prevents aol users sharing the same ip from visiting your site.

So now come the complaints from an AOL subscriber that he can not get in your membership area because his ip is blocked and he did nothing wrong " Except for using AOL in the first place" : )

What we did is give the brute forcer a 202 ok and redirect to a fake url.
That really seemed to help out

I hate those brute force programs they are a pain in the ass for everyone and any idiot can use them.

Hope that helps a little

mike503 · 07-13-2002, 01:22 PM

simply put, you don't need htaccess at all. you can do a variety of other methods, either using normal HTTP authentication or using cookie-based authentication. if you have questions, hit me up on icq.

Naughty · 07-13-2002, 04:09 PM

Interesting stuff.

I'll be reading your stuff soon pr0

BadBoyBill4281 · 07-13-2002, 04:42 PM

goto hotscripts and search in php only you'll find everything you need complete programs to add, change, mod, any password for any of your sites that you wish very easy to understand if you know php and mySQL

Terenzo · 07-14-2002, 12:16 PM

Quote:

Originally posted by Paolo
Here is the big problem with protecting you site.
Most programs give a 403 to the ip that brute forcing you password file.

They love to use ip's that AOL has, because AOL's system is a pile of shit and is easy to abuse

So 403's are fine in most cases except that AOL stores these 403's on there servers and prevents aol users sharing the same ip from visiting your site.

So now come the complaints from an AOL subscriber that he can not get in your membership area because his ip is blocked and he did nothing wrong " Except for using AOL in the first place" : )

What we did is give the brute forcer a 202 ok and redirect to a fake url.
That really seemed to help out

I hate those brute force programs they are a pain in the ass for everyone and any idiot can use them.

Hope that helps a little

Great info, we will change this!! thanx paolo!

Terenzo · 07-14-2002, 12:18 PM

Quote:

Originally posted by pr0
this information & more will be available at http://www.pr0.net in the next few months, so be looking out for it

... next few months... ;)) get it done sooner!!!!

Sleepy · 07-14-2002, 01:18 PM

http://www.danubetech.com/news/07_12_02.htm
( ProxyPass )

The software blocks open proxies and shared passwords. Its written in C just like Iprotect and features a realtime admin. I had it installed and that was the end of the bullshit with those proxy hackers.

Iprotect/Pennywize/StopThatHacker - just dont work.
Lets say you have Pennywize set to block a user after 5 bad auths. These hackers use 1000's of proxies to attack you and get 5 guesses on each one. If the hacker has 8000 proxies to use, he gets 40,000 guesses all total. Whats the point in even blocking ?

foe · 07-14-2002, 01:44 PM

yeh PHP can protect your site nicely

FreeNetPass Steve · 07-15-2002, 01:51 PM

Thanks for all the tips and links!

07-13-2002, 10:12 AM	#1
FreeNetPass Steve Confirmed User Join Date: Nov 2001 Location: A van down by the river Posts: 442	Protecting sites using other than HTaccess Is there an alternative way to htaccess to protect a members are of a site? I saw a script once and it used some other code. Maybe it was an .htaccess but used different code other than the mod rewrite. Any ideas? __________________ SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.

07-13-2002, 10:17 AM	#2
Terenzo Confirmed User Join Date: Jan 2002 Posts: 971	i dont know if this is a smart thing, but what we are doing is serving the shit out of a root dir, protecting with php-session-management.... whenever some fraud is done, we use a dynamic .htaccess file for blocking and redirecting the ip.... i really don't know, though. i am interessed in other alternatives, too. why dont you want to use .htaccess? aol problems? __________________ Signature Spot - USD 5000 / month

07-13-2002, 10:51 AM	#3
pr0 rockin tha trailerpark Industry Role: Join Date: May 2001 Location: ~Coastal~ Posts: 23,088	this information & more will be available at http://www.pr0.net in the next few months, so be looking out for it __________________ __________ Loadedca$h - get sum! - Revengebucks - mmm rebills! - webair (gotz sErVrz)

07-13-2002, 11:14 AM	#4
zip Confirmed User Join Date: Jul 2001 Location: under the bridge Posts: 567	Try this, is a combo between htaccess and php PHP Code: <?php $leechpage = ""; refferers urls ook toegestaan (zonder [url]http://[/url]) $domein["0"] = "localhost"; $domein["1"] = "127.0.0.1"; $folder["0"] = "down/loads"; idl=mijnfolder&idf=filevoorjou.exe">file voor jou</a> // THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED // WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES // OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE // DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR // ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF // USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND // ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, // OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT // OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF // SUCH DAMAGE. // $versienumm = "<center style=\"font-family:arial\"><b>FW-ANTILEECH</b><br>Build: 1.32 "; <p><b>FILE REQUEST DENIED</b></p></center>"; if (!isset($HTTP_REFERER)) { if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['HTTP_REFERER'])) { $HTTP_REFERER = $HTTP_SERVER_VARS['HTTP_REFERER']; } } if (!isset($idf)) { if (isset($HTTP_GET_VARS['idf'])) { $idf = $HTTP_GET_VARS['idf']; } } if (isset($idf)) { $idf = stripslashes($idf); $idf = urldecode($idf); htmlentities($idf, ENT_QUOTES); $idf = preg_replace('/([;\:,`\'\\\\|"* !+=?~#%&<>^\/\(\)\[\]\{\}\$\n\r])/',"", $idf); $idf = ereg_replace('\.\.', '', $idf); } if (!isset($idl)) { if (isset($HTTP_GET_VARS['idl'])) { $idl = $HTTP_GET_VARS['idl']; } } if (isset($idl)) { $idl = stripslashes($idl); $idl = urldecode($idl); htmlentities($idl, ENT_QUOTES); $idl = preg_replace('/([;\:,.`\'\\\\|"* !+=?~#%&<>^\/\(\)\[\]\{\}\$\n\r])/',"", $idl); $idl = ereg_replace('\.\.', '', $idl); } if (!empty($domein) && isset($HTTP_REFERER) && isset($idf)) { if (ereg("//",$HTTP_REFERER)) { list($begone1,$refoke) = split('//', $HTTP_REFERER, 2); } else { $refoke = $HTTP_REFERER; } if (ereg("/",$domein[0])) { list($domain,$begone2) = split('/', $domein[0], 2); } else { $domain = $domein[0]; } $a = count($domein); for ($i = 0; $i < $a; $i++) { if (eregi($domein[$i],$refoke)) { if (isset($idl) && isset($folder[$idl])) { if (ereg("//",$folder[$idl])) { list($begone3,$domwww) = split('//', $folder[$idl], 2); list($domain,$defolds) = split('/', $domwww, 2); $fileonweb = $defolds."/".$idf; } else { $fileonweb = $folder[$idl]."/".$idf; } } else { $fileonweb = $folder["0"]."/".$idf; } $fileow = "http://".$domain."/".$fileonweb; // open http on loop $id_wi = fsockopen($domain,80); fputs($id_wi,"GET /$fileonweb HTTP/1.0\r\nHost: $domain\r\n\r\n"); $buff = fgets($id_wi, 1024); fclose($id_wi); // on file oke open file if (ereg("HTTP/1.1 200 OK", $buff)) { $id_wi = fopen($fileow, "r"); if ($id_wi) { if (eregi(".htm", $idf)) { $welktype = "text/html"; } else if (eregi(".html", $idf)) { $welktype = "text/html"; } else if (eregi(".txt", $idf)) { $welktype = "text/plain"; } else if (eregi(".jpg", $idf)) { $welktype = "image/jpg"; } else if (eregi(".gif", $idf)) { $welktype = "image/gif"; } else if (eregi(".mpeg", $idf)) { $welktype = "audio/mpeg"; } else if (eregi(".mp3", $idf)) { $welktype = "audio/mpeg"; } else if (eregi(".doc", $idf)) { $welktype = "application/msword"; } else if (eregi(".rtf", $idf)) { $welktype = "application/msword"; } else if (eregi(".zip", $idf)) { $welktype = "application/x-zip-compressed"; } else if (eregi(".exe", $idf)) { $welktype = "application/x-msdownload"; } else if (eregi(".pdf", $idf)) { $welktype = "application/pdf"; } else { $welktype = "application/octet-stream"; } Header("Content-Type: $welktype"); Header("Accept-Ranges: bytes"); Header("Content-Disposition: ; Filename=$idf"); readfile($fileow); fclose($id_wi); exit; } } break; } } if ($leechpage != "") { header("Location: $leechpage"); exit; } echo "$versienumm"; exit; } // geen referer url - exit of naar antileech.html else { if ($leechpage != "") { header("Location: $leechpage"); } } echo "$versienumm"; exit; ?> -------------------- htaccess file in dir. -------------------- ErrorDocument 403 /down/leech.html order deny,allow deny from all allow from 127.0.0.1 allow from .localhost <Files .htaccess> order allow,deny deny from all </Files> IndexIgnore *

07-13-2002, 12:09 PM	#5
Paolo Confirmed User Join Date: Jan 2002 Location: Henderson, Nevada Posts: 491	Here is the big problem with protecting you site. Most programs give a 403 to the ip that brute forcing you password file. They love to use ip's that AOL has, because AOL's system is a pile of shit and is easy to abuse So 403's are fine in most cases except that AOL stores these 403's on there servers and prevents aol users sharing the same ip from visiting your site. So now come the complaints from an AOL subscriber that he can not get in your membership area because his ip is blocked and he did nothing wrong " Except for using AOL in the first place" : ) What we did is give the brute forcer a 202 ok and redirect to a fake url. That really seemed to help out I hate those brute force programs they are a pain in the ass for everyone and any idiot can use them. Hope that helps a little __________________ [

07-13-2002, 01:22 PM	#6
mike503 Confirmed User Industry Role: Join Date: May 2002 Location: oregon. Posts: 2,243	simply put, you don't need htaccess at all. you can do a variety of other methods, either using normal HTTP authentication or using cookie-based authentication. if you have questions, hit me up on icq. __________________ php/mysql guru. hosting, coding, all that jazz.

07-13-2002, 04:09 PM	#7
Naughty Confirmed User Industry Role: Join Date: Jul 2001 Location: Utopia Posts: 6,484	Interesting stuff. I'll be reading your stuff soon pr0 __________________ seks.ai for sale - ping me

07-13-2002, 04:42 PM	#8
BadBoyBill4281 Confirmed User Industry Role: Join Date: May 2002 Location: West Palm Beach, Florida Posts: 616	goto hotscripts and search in php only you'll find everything you need complete programs to add, change, mod, any password for any of your sites that you wish very easy to understand if you know php and mySQL __________________ ICQ#128496425 www.swinginglocal.com

07-14-2002, 01:18 PM	#11
Sleepy Confirmed User Join Date: Nov 2001 Location: Porn Peddler Posts: 679	http://www.danubetech.com/news/07_12_02.htm ( ProxyPass ) The software blocks open proxies and shared passwords. Its written in C just like Iprotect and features a realtime admin. I had it installed and that was the end of the bullshit with those proxy hackers. Iprotect/Pennywize/StopThatHacker - just dont work. Lets say you have Pennywize set to block a user after 5 bad auths. These hackers use 1000's of proxies to attack you and get 5 guesses on each one. If the hacker has 8000 proxies to use, he gets 40,000 guesses all total. Whats the point in even blocking ?

07-14-2002, 01:44 PM	#12
foe Confirmed User Join Date: May 2002 Location: CT Posts: 5,246	yeh PHP can protect your site nicely

07-15-2002, 01:51 PM	#13
FreeNetPass Steve Confirmed User Join Date: Nov 2001 Location: A van down by the river Posts: 442	Thanks for all the tips and links! __________________ SIG TOO BIG! Maximum 120x60 button and no more than 3 text lines of DEFAULT SIZE and COLOR. Unless your sig is for a GFY top banner sponsor, then you may use a 624x80 instead of a 120x60.