Announcement

Collapse
No announcement yet.

Hotlinking attachment.php by fusker clone

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Hotlinking attachment.php by fusker clone

    Hello VB Community.

    I have blown a fuse in my brain trying to solve a hotlinking or directlinking problem.

    My Vb forum has been "fuskered" and they have figured out a way to hotlink to the attachment.php?attachmentid=####

    They have about attachments. I also have hotlink protection setup and verified it works.

    But here is where it gets weird.

    If you goto one of those link directly - you get asked to login. But this fusker page somehow has encoded a bogus user/pass that allows it to get the attachment as a inline hotlink using the <img src=> method.

    I've even looked at the log files and it appears that the files were retrieved via some proxy.

    ANybody run into this? This is using 100% of a 10Mbit Line !!!!

    Thanks
    DigitalRat
    1010010101
    :cool: DigitalRat

  • #2
    I highly suggest disabling attachments for guests

    Comment


    • #3
      Originally posted by Zachery
      I highly suggest disabling attachments for guests
      the guy said that the username/pass is in the link NOT a guest thing
      try to read the post next time before you reply

      Comment


      • #4
        To be honest with you, thats near impossible, unless they are setting a cookie removly for a site that they don't own (huge security issues that shouldn't even be possible). So short of hacks on that guys site that are allowing it, its not possible in vbulletin.

        Comment


        • #5
          Geez, I hope this isn't a problem. Some people though...

          How can they get in? I assume you have htaccess as well. Is it coming from a website, and do you have the sites name and number? I usually ban it in my admin as well
          shiva

          http://www.roxr.shivasite.com

          Comment


          • #6
            Originally posted by Zachery
            To be honest with you, thats near impossible, unless they are setting a cookie removly for a site that they don't own (huge security issues that shouldn't even be possible). So short of hacks on that guys site that are allowing it, its not possible in vbulletin.
            Well - dont say impossible. On apache i've configured the CustomLogs to also log the userid cookie so I can run it thru a stats program. Well, when user #12345 views the same attachment 45,000 times from different IP addresses all day it makes one take notice something is not right.

            Somehow this fusker thing ... is a script... that sets a cookie in the request for the attachment.php that has the user & password.

            Of the ones I have found in my log files i have disabled and the IP's i've banned via the kernel iptables. But its still happening.

            Somehow they've figured out how to emulate a registered user to get to an attachment by direct access to attachment.php with the attachmentid encoded on the url and a cookie set. Which of course means the users password has been compromised or what i suspect -- a lot of "dummy" users setup.

            Is there a way to force all users to change their password when they login next???

            Thanks - any ideas will help.
            DigitalRat
            1010101001
            :cool: DigitalRat

            Comment


            • #7
              Originally posted by shiva
              Geez, I hope this isn't a problem. Some people though...

              How can they get in? I assume you have htaccess as well. Is it coming from a website, and do you have the sites name and number? I usually ban it in my admin as well
              The IP addresses come from all over. It looks like they're being use thru proxy. Then all it takes is another clone to nab ya and back in the same boat.

              I wish i knew an attorny that would take on these guys - they're stealing bandwidth, wasting my time and they are allowing the blatent intent of hotlinking. Just so they can save bandwidth at the ones who are hit cost.



              Thanks
              DigitalRat
              :cool: DigitalRat

              Comment


              • #8
                This really is beyond my abilites then, and they've invested alot of time into stealing what they could have made themselfs it seems...

                Not sure what can be done short of using some type of hot linking protection and including attachment.php even then, it might not work ...

                Comment


                • #9
                  What is the full url to attachment.php that you have in your log?

                  Comment


                  • #10
                    I have a very similar problem if not the same
                    and i dont know how to get around it.

                    All one registed user has to do is
                    right clik on a specific page and save page as,

                    which is saved as a index.php - HTML document
                    now that files can be pasted around to as many people
                    as that user decided to give it to.

                    And with that file they access the page
                    and download what is on it even different
                    offers that a given.they dont need to login
                    or to be a member.

                    Has anyone got any idea how i can stop this
                    any help will be appritiated.

                    Please please someone help.


                    thanking ahead

                    Comment


                    • #11
                      You can't stop your members from downloading and viewing attachments and then sharing them

                      Comment


                      • #12
                        you didnt understand.

                        they link to the my page and download
                        from my web page that only members
                        have access to.


                        they dont share what the one has downloaded.

                        thankyou

                        Comment


                        • #13
                          There is no way to do this if your permissions are set correctly. What is the link to one of these attachements you think is being shared?
                          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                          Change CKEditor Colors to Match Style (for 4.1.4 and above)

                          Steve Machol Photography


                          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                          Comment


                          • #14
                            Steve i have sent you pm

                            hope you can help


                            thankyou

                            Comment


                            • #15
                              Sorry but I didn't ask for a PM. Besides the one you sent me did not provide the link. Freddie also asked for some information that you haven't provided. The best way we can help is if you provide the info requested.
                              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                              Change CKEditor Colors to Match Style (for 4.1.4 and above)

                              Steve Machol Photography


                              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X