Skip site navigation (1)Skip section navigation (2)
Date:      9 Mar 2000 09:00:59 +1100
From:      "John Saunders" <john.saunders@nlc.net.au>
To:        "Nicole Harrington." <nicole@unixgirl.com>
Cc:        freebsd-isp@freebsd.org
Subject:   Re: Apache Hacking and Apparent Spoofing Problem
Message-ID:  <20000308220059.10928.qmail@nhj.nlc.net.au>
In-Reply-To: <XFMail.000307150100.nicole@unixgirl.com>

next in thread | previous in thread | raw e-mail | index | archive | help
In nlc.lists.freebsd-isp you wrote:

> Q1) The first one is that I have a customer whos server was/is getting hundreds
> of lines like: www.joelpass.com -> /oops.html in the referer log. the ooops page
> means they entered a bad passwd for entrance to the pay x-rated site on the
> server. All of this seems somewhat normal except the lack of httpd:// and the
> fact that there is no such domain as  joelpass.com.

Sounds like somebody is trying a brute force dictionary attack to find a
valid password.

> So how is someone doing this? IE how do they get referer to show this fake ID?

Simple, set the "Referer" header when they send the request. This could be
done by creating a page on this other site and linking to your password
page. This other site could even be local to them, the referer header is
passed as text and doesn't not need to be correct.

However it's unlikely that they are using IE, if they are pounding away
at the password page they may have an application that is simply forging
the referer header.

Do an alta vista search on joelpass, you may turn up something.

> I thought it was dns based. DNS poisoning? They don't use their own dns, they
> use a major internet providors dns.

It's not DNS based but is text based and easily forgable. You should never
base security around the referer, always use the IP address.

> Q2)  It seems that there is a website that is hacking into pay X-Rated sites
> and providing free access to them via a click through on their system and they
> are the ones responsible for the above. They seem to be offshore and their
> clickthrough refering sites seem to come from all over. Is there anyway to stop
> them? ( I like porn, but I also work for several pay sites that are getting hit
> pretty hard by these asses. their password guessing has created huge bandwidth
> spikes and if they guess one the site instantly becomes swamped)

Even though the referer header is changing, the IP address should be fairly
static. Sounds like Apache's allow and deny keywords would be useful.

<Directory /path/to/x-rated/files>
	Order deny,allow
	Deny from 192.168.10.1
	Allow from all
</Directory>

P.S. I've spelt referrer as referer simply because it is incorrectly
spelt in the HTTP standard. So if you went off searching using the
correct spelling you wouldn't find anything.

Cheers.
--            +------------------------------------------------------------+
        .     | John Saunders  - mailto:john@nlc.net.au            (EMail) |
    ,--_|\    |                - http://www.nlc.net.au/              (WWW) |
   /  Oz  \   |                - 02-9489-4932 or 04-1822-3814      (Phone) |
   \_,--\_/   | NORTHLINK COMMUNICATIONS P/L - Supplying a professional,   |
         v    | and above all friendly, internet connection service.       |
              +------------------------------------------------------------+


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000308220059.10928.qmail>