Blocking theft/hack

[rhenderson]

Hi,

We have a strange issue, someone it directed their domain A records to one of our wordpress sites, I guess in an attempt to mirror it and scam credit cards. It some type of attempt to hack to the site. About the only thing we could do is to prevent hotlinking which screws up the site look. They have caught on to that and change domains they have it under. It started with domain.net and now it is linked to domain.com.

We have written HE.NET about the copyright violations but they are ignoring us. Does anyone have any suggestions? We have been firewalling any IP's that come to the site that look suspicious.

 

[cPanelMichael]

Hello

That type of issue is best handled by blocking the IP address the connection is coming from, and sending an abuse report to the offending website's provider. You may need to try an alternate method of contacting the abuse department of the data center that hosts the website.

Thank you.

 

[rhenderson]

Hello

That type of issue is best handled by blocking the IP address the connection is coming from, and sending an abuse report to the offending website's provider. You may need to try an alternate method of contacting the abuse department of the data center that hosts the website.

Thank you.

Michael,

Thanks for the suggestions, I had already thought of those things, the issue is that the domains are using the IP in their A records, basically mirroring the site so there is no IP to block. The nameservers only list he.net, so we contacted them. There are no other records on the DNS for the offending domains.

I could change the IP of the domain on my end to momentarily stop them, but once they figure that out they will just change their A records.

Best I can do as things are is to stop hotlinking via the domain name which stops the images from showing on their side, but the content is still there.

 

[quizknows]

So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case:

Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file:

SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455"

Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.

 

[rhenderson]

So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case:

Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file:

SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455"

Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.

Yes you are understanding this correctly...... I tried it in the modsec2.user.conf but got an error, I am seeing if I can figure out what the error is, if I can get this to work it is the perfect solution.

Error parsing actions: ModSecurity: Invalid value for action ID: 3498240455

 

[rhenderson]

Changing the rule number took care of my error, but unfortunately it is not blocking the site.

I tried it with and without the www

SecRule SERVER_NAME "domain.com" "deny,log,auditlog,status:500,severity:'2',id:'11001100'"

 

[quizknows]

Ugh, they're just embedding everything.

If you watch your access logs, do any IP's hit your server other than the IP you're visiting the bad site from? Anything good in the referring URLs?

 

[rhenderson]

Here is the log when I go to the fake site.... - removed -

PS That IP is mine

Going back further I did spot and IP 69.167.xxx.xxx that traces back to he.net via liquidweb, I am going to firewall it and see what happens.

Update - It might block something they are doing but doesn't kill the fake site.

Based on quizknows suggestion of using modsecurity I tried

SecRule "HTTP_REFERER" "domain\.com" "deny,log,auditlog,status:500,severity:2,id:'1010101'"

I guess it blocked portions of the offending site, it really screws up their layout, it does not completely block them but it sure makes it ugly.

 

[rhenderson]

I got messages back from the domain registrar, no help there because they do not host the site. HE.NET won't respond. at least the new modsecurity rule is making their rip off of our site look bad

 

[theoxgr]

i would like to protect my server and domains too. can you explain what should i do for fresh install? thanks in advance

 

[rhenderson]

i would like to protect my server and domains too. can you explain what should i do for fresh install? thanks in advance

My issue is very specific, for a fresh install and to get a general start I highly recommend you read this thread http://forums.cpanel.net/f185/beginners-guide-securing-your-server-30159.html

 

[rhenderson]

Wow, there is more to this than I realized... All of these domains have our domain set as their A records

- removed spammer domains -

I think they are trying to bypass the modsecurity rule that blocks them out for too many login attempts to WP login.

 

[quizknows]

Jokes on them then, unless your rule is domain specific they'll still get blocked. Most rules for blocking those brute forces are not specific to the domain name.

 

[rhenderson]

Jokes on them then, unless your rule is domain specific they'll still get blocked. Most rules for blocking those brute forces are not specific to the domain name.

Right, I am using

<Locationmatch "/wp-login.php">
SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 5 login attempts in 3 minutes.'"
SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
</locationmatch>

Along with CSF for multiple triggers to become permanent it stops brute force attacks.

 

[rhenderson]

So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case:

Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file:

SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455"

Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.

Hi Quizknows,

Thanks for the suggestion, I was still playing around with it, I found more domains pointed to more sites, 15 domains in total. I went back to your original rule (after reading a ton of modsecurity websites and came up with...

SecRule "SERVER_NAME" "domain\.net" "phase:1,deny,log,auditlog,status:404,severity:2,id:'11001101'"

Added a "" around SERVER_NAME and phase:1 to the actions and it works. Again thank you for the idea, I was not going to let these guys beat me!!

 

[quizknows]

Glad to help, and well done. ModSecurity is an awesome tool in many situations