The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking theft/hack

Discussion in 'Security' started by rhenderson, Sep 30, 2013.

  1. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Hi,

    We have a strange issue, someone it directed their domain A records to one of our wordpress sites, I guess in an attempt to mirror it and scam credit cards. It some type of attempt to hack to the site. About the only thing we could do is to prevent hotlinking which screws up the site look. They have caught on to that and change domains they have it under. It started with domain.net and now it is linked to domain.com.

    We have written HE.NET about the copyright violations but they are ignoring us. Does anyone have any suggestions? We have been firewalling any IP's that come to the site that look suspicious.
     
    #1 rhenderson, Sep 30, 2013
    Last edited by a moderator: Oct 7, 2013
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,832
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    That type of issue is best handled by blocking the IP address the connection is coming from, and sending an abuse report to the offending website's provider. You may need to try an alternate method of contacting the abuse department of the data center that hosts the website.

    Thank you.
     
  3. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Michael,

    Thanks for the suggestions, I had already thought of those things, the issue is that the domains are using the IP in their A records, basically mirroring the site so there is no IP to block. The nameservers only list he.net, so we contacted them. There are no other records on the DNS for the offending domains.

    I could change the IP of the domain on my end to momentarily stop them, but once they figure that out they will just change their A records.

    Best I can do as things are is to stop hotlinking via the domain name which stops the images from showing on their side, but the content is still there.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case:

    Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file:

    SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455"

    Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.
     
  5. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Yes you are understanding this correctly...... I tried it in the modsec2.user.conf but got an error, I am seeing if I can figure out what the error is, if I can get this to work it is the perfect solution.

    Error parsing actions: ModSecurity: Invalid value for action ID: 3498240455
     
  6. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Changing the rule number took care of my error, but unfortunately it is not blocking the site.

    I tried it with and without the www

    SecRule SERVER_NAME "domain.com" "deny,log,auditlog,status:500,severity:'2',id:'11001100'"
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Ugh, they're just embedding everything.

    If you watch your access logs, do any IP's hit your server other than the IP you're visiting the bad site from? Anything good in the referring URLs?
     
  8. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Here is the log when I go to the fake site.... - removed -

    PS That IP is mine

    Going back further I did spot and IP 69.167.xxx.xxx that traces back to he.net via liquidweb, I am going to firewall it and see what happens.

    Update - It might block something they are doing but doesn't kill the fake site.

    Based on quizknows suggestion of using modsecurity I tried

    SecRule "HTTP_REFERER" "domain\.com" "deny,log,auditlog,status:500,severity:2,id:'1010101'"

    I guess it blocked portions of the offending site, it really screws up their layout, it does not completely block them but it sure makes it ugly.
     
    #8 rhenderson, Oct 1, 2013
    Last edited by a moderator: Oct 7, 2013
  9. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    I got messages back from the domain registrar, no help there because they do not host the site. HE.NET won't respond. at least the new modsecurity rule is making their rip off of our site look bad :)
     
  10. theoxgr

    theoxgr Member

    Joined:
    Oct 3, 2013
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Greece, Thessaloniki
    cPanel Access Level:
    Root Administrator
    i would like to protect my server and domains too. can you explain what should i do for fresh install? thanks in advance
     
  11. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
  12. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Wow, there is more to this than I realized... All of these domains have our domain set as their A records

    - removed spammer domains -

    I think they are trying to bypass the modsecurity rule that blocks them out for too many login attempts to WP login.
     
    #12 rhenderson, Oct 5, 2013
    Last edited by a moderator: Oct 7, 2013
  13. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Jokes on them then, unless your rule is domain specific they'll still get blocked. Most rules for blocking those brute forces are not specific to the domain name.
     
  14. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Right, I am using

    <Locationmatch "/wp-login.php">
    SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 5 login attempts in 3 minutes.'"
    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"
    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"
    SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
    </locationmatch>

    Along with CSF for multiple triggers to become permanent it stops brute force attacks.
     
  15. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Hi Quizknows,

    Thanks for the suggestion, I was still playing around with it, I found more domains pointed to more sites, 15 domains in total. I went back to your original rule (after reading a ton of modsecurity websites and came up with...

    SecRule "SERVER_NAME" "domain\.net" "phase:1,deny,log,auditlog,status:404,severity:2,id:'11001101'"

    Added a "" around SERVER_NAME and phase:1 to the actions and it works. Again thank you for the idea, I was not going to let these guys beat me!!
     
    #15 rhenderson, Oct 6, 2013
    Last edited by a moderator: Oct 7, 2013
  16. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Glad to help, and well done. ModSecurity is an awesome tool in many situations :)
     
Loading...

Share This Page