rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
Hi,

We have a strange issue, someone it directed their domain A records to one of our wordpress sites, I guess in an attempt to mirror it and scam credit cards. It some type of attempt to hack to the site. About the only thing we could do is to prevent hotlinking which screws up the site look. They have caught on to that and change domains they have it under. It started with domain.net and now it is linked to domain.com.

We have written HE.NET about the copyright violations but they are ignoring us. Does anyone have any suggestions? We have been firewalling any IP's that come to the site that look suspicious.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

That type of issue is best handled by blocking the IP address the connection is coming from, and sending an abuse report to the offending website's provider. You may need to try an alternate method of contacting the abuse department of the data center that hosts the website.

Thank you.
 

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
Hello :)

That type of issue is best handled by blocking the IP address the connection is coming from, and sending an abuse report to the offending website's provider. You may need to try an alternate method of contacting the abuse department of the data center that hosts the website.

Thank you.
Michael,

Thanks for the suggestions, I had already thought of those things, the issue is that the domains are using the IP in their A records, basically mirroring the site so there is no IP to block. The nameservers only list he.net, so we contacted them. There are no other records on the DNS for the offending domains.

I could change the IP of the domain on my end to momentarily stop them, but once they figure that out they will just change their A records.

Best I can do as things are is to stop hotlinking via the domain name which stops the images from showing on their side, but the content is still there.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case:

Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file:

SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455"

Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.
 

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case:

Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file:

SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455"

Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.
Yes you are understanding this correctly...... I tried it in the modsec2.user.conf but got an error, I am seeing if I can figure out what the error is, if I can get this to work it is the perfect solution.

Error parsing actions: ModSecurity: Invalid value for action ID: 3498240455
 

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
Changing the rule number took care of my error, but unfortunately it is not blocking the site.

I tried it with and without the www

SecRule SERVER_NAME "domain.com" "deny,log,auditlog,status:500,severity:'2',id:'11001100'"
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Ugh, they're just embedding everything.

If you watch your access logs, do any IP's hit your server other than the IP you're visiting the bad site from? Anything good in the referring URLs?
 

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
Here is the log when I go to the fake site.... - removed -

PS That IP is mine

Going back further I did spot and IP 69.167.xxx.xxx that traces back to he.net via liquidweb, I am going to firewall it and see what happens.

Update - It might block something they are doing but doesn't kill the fake site.

Based on quizknows suggestion of using modsecurity I tried

SecRule "HTTP_REFERER" "domain\.com" "deny,log,auditlog,status:500,severity:2,id:'1010101'"

I guess it blocked portions of the offending site, it really screws up their layout, it does not completely block them but it sure makes it ugly.
 
Last edited by a moderator:

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
Wow, there is more to this than I realized... All of these domains have our domain set as their A records

- removed spammer domains -

I think they are trying to bypass the modsecurity rule that blocks them out for too many login attempts to WP login.
 
Last edited by a moderator:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Jokes on them then, unless your rule is domain specific they'll still get blocked. Most rules for blocking those brute forces are not specific to the domain name.
 

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
Jokes on them then, unless your rule is domain specific they'll still get blocked. Most rules for blocking those brute forces are not specific to the domain name.
Right, I am using

<Locationmatch "/wp-login.php">
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 5 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

Along with CSF for multiple triggers to become permanent it stops brute force attacks.
 

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case:

Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file:

SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455"

Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.
Hi Quizknows,

Thanks for the suggestion, I was still playing around with it, I found more domains pointed to more sites, 15 domains in total. I went back to your original rule (after reading a ton of modsecurity websites and came up with...

SecRule "SERVER_NAME" "domain\.net" "phase:1,deny,log,auditlog,status:404,severity:2,id:'11001101'"

Added a "" around SERVER_NAME and phase:1 to the actions and it works. Again thank you for the idea, I was not going to let these guys beat me!!
 
Last edited by a moderator: