From owner-freebsd-isp Wed Mar 8 14: 1:11 2000 Delivered-To: freebsd-isp@freebsd.org Received: from nhj.nlc.net.au (nhj.nlc.net.au [203.24.133.1]) by hub.freebsd.org (Postfix) with SMTP id A154737B64E for ; Wed, 8 Mar 2000 14:01:02 -0800 (PST) (envelope-from john.saunders@nlc.net.au) Received: (qmail 10930 invoked by uid 1000); 9 Mar 2000 09:00:59 +1100 Date: 9 Mar 2000 09:00:59 +1100 Message-ID: <20000308220059.10928.qmail@nhj.nlc.net.au> From: "John Saunders" To: "Nicole Harrington." Cc: freebsd-isp@freebsd.org Subject: Re: Apache Hacking and Apparent Spoofing Problem X-Newsgroups: nlc.lists.freebsd-isp In-Reply-To: User-Agent: tin/pre-1.4-980818 ("Laura") (UNIX) (Linux/2.0.37 (i686)) Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In nlc.lists.freebsd-isp you wrote: > Q1) The first one is that I have a customer whos server was/is getting hundreds > of lines like: www.joelpass.com -> /oops.html in the referer log. the ooops page > means they entered a bad passwd for entrance to the pay x-rated site on the > server. All of this seems somewhat normal except the lack of httpd:// and the > fact that there is no such domain as joelpass.com. Sounds like somebody is trying a brute force dictionary attack to find a valid password. > So how is someone doing this? IE how do they get referer to show this fake ID? Simple, set the "Referer" header when they send the request. This could be done by creating a page on this other site and linking to your password page. This other site could even be local to them, the referer header is passed as text and doesn't not need to be correct. However it's unlikely that they are using IE, if they are pounding away at the password page they may have an application that is simply forging the referer header. Do an alta vista search on joelpass, you may turn up something. > I thought it was dns based. DNS poisoning? They don't use their own dns, they > use a major internet providors dns. It's not DNS based but is text based and easily forgable. You should never base security around the referer, always use the IP address. > Q2) It seems that there is a website that is hacking into pay X-Rated sites > and providing free access to them via a click through on their system and they > are the ones responsible for the above. They seem to be offshore and their > clickthrough refering sites seem to come from all over. Is there anyway to stop > them? ( I like porn, but I also work for several pay sites that are getting hit > pretty hard by these asses. their password guessing has created huge bandwidth > spikes and if they guess one the site instantly becomes swamped) Even though the referer header is changing, the IP address should be fairly static. Sounds like Apache's allow and deny keywords would be useful. Order deny,allow Deny from 192.168.10.1 Allow from all P.S. I've spelt referrer as referer simply because it is incorrectly spelt in the HTTP standard. So if you went off searching using the correct spelling you wouldn't find anything. Cheers. -- +------------------------------------------------------------+ . | John Saunders - mailto:john@nlc.net.au (EMail) | ,--_|\ | - http://www.nlc.net.au/ (WWW) | / Oz \ | - 02-9489-4932 or 04-1822-3814 (Phone) | \_,--\_/ | NORTHLINK COMMUNICATIONS P/L - Supplying a professional, | v | and above all friendly, internet connection service. | +------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message