From owner-freebsd-isp Tue Mar 7 15: 1: 6 2000 Delivered-To: freebsd-isp@freebsd.org Received: from krell.webweaver.net (krell.webweaver.net [206.24.105.170]) by hub.freebsd.org (Postfix) with ESMTP id 70FC337BDBC for ; Tue, 7 Mar 2000 15:01:01 -0800 (PST) (envelope-from nicole@unixgirl.com) Received: from xwin.nmhtech.com (xwin.nmhtech.com [208.138.46.10]) by krell.webweaver.net (Postfix) with ESMTP id 8AF8220F04; Tue, 7 Mar 2000 14:12:46 -0800 (PST) Content-Length: 2362 Message-ID: X-Mailer: XFMail 1.3.1 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Tue, 07 Mar 2000 15:01:00 -0800 (PST) From: "Nicole Harrington." To: isp-tech@isp-tech.com, freebsd-isp@freebsd.org Subject: Apache Hacking and Apparent Spoofing Problem Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Greetings all I have an 2 apache related questions. Q1) The first one is that I have a customer whos server was/is getting hundreds of lines like: www.joelpass.com -> /oops.html in the referer log. the ooops page means they entered a bad passwd for entrance to the pay x-rated site on the server. All of this seems somewhat normal except the lack of httpd:// and the fact that there is no such domain as joelpass.com. So how is someone doing this? IE how do they get referer to show this fake ID? I thought it was dns based. DNS poisoning? They don't use their own dns, they use a major internet providors dns. EX: http://start.at/mega -> /~mega http://www.sterndevelopments.com/rankem/index.html -> /DGC.html http://search.yahoo.com/bin/search?p=hardcore -> /index.html http://start.at/mega -> /~mega/index.html http://profiles.yahoo.com/solacedenied_joel -> /index.html www.joelpass.com -> /oops.html www.joelpass.com -> /oops.html Q2) It seems that there is a website that is hacking into pay X-Rated sites and providing free access to them via a click through on their system and they are the ones responsible for the above. They seem to be offshore and their clickthrough refering sites seem to come from all over. Is there anyway to stop them? ( I like porn, but I also work for several pay sites that are getting hit pretty hard by these asses. their password guessing has created huge bandwidth spikes and if they guess one the site instantly becomes swamped) Any help would be greatly appreciatted. Nicole nicole@unixgirl.com |\ __ /| (`\ http://www.unixgirl.com/ webmistress@dangermouse.org | o_o |__ ) ) http://www.dangermouse.org/ // \\ ---------------------------(((---(((----------------------------------------- -- Powered by Coka-Cola and FreeBSD -- -- Stong enough for a man - But made for a Woman -- -- Microsoft: What bug would you like today? -- ------------------------------------------------------------------------------- -- As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. -- OWNED? MS: Who's Been In Your Computer Today? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message