The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WTF? spam?

Discussion in 'General Discussion' started by luis, Aug 21, 2003.

  1. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Since a long time ago i have noticed strange referers on my stats programs (and my clients stats programs for that matter).

    Today i decided to investigate one of them: http://www.HostItCheap.com

    These guys somehow visits every account on my server and inserts his own URL (as shown above) as the http referer.
    What does he gets? Go to any of your clients webalizer or awstats and you'll see a link to them on your own control panel.

    If you:
    grep "www.HostItCheap.com" /usr/local/apache/domlogs/somedomain.com
    (try on different domains)
    you'll get something like this:

    66.9.80.210 - - [12/Aug/2003:16:54:35 -0500] "GET / HTTP/1.1" 200 3730 "http://www.HostItCheap.com" "Mozilla/4.0 (compatible; www.HostItCheap.com Hosting Client-Agent)"

    Are they spamming just me? or everyone? How to stop this?

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
  2. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
  3. Jeff75

    Jeff75 Well-Known Member

    Joined:
    Apr 11, 2003
    Messages:
    555
    Likes Received:
    0
    Trophy Points:
    16
    I just searched for them in my users' logs and they're in every single log! Does anybody else have this problem?

    cPanel.net Support Ticket Number:
     
  4. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    I have a bunch of hits from them also -- awstats is listing them as a referrer.

    Upon further inspection, they are also in every one of my customers logs.

    Someone else is complaining about them in the de.admin.net-abuse.misc newsgroup. Can anyone do the translation?
    http://groups.google.com/groups?hl=...nbf1r5c.m96.leckse%40katana.leckse.net&rnum=1

    Here is another link I found that is of interest:

    http://groups.google.com/groups?q=h...selm=bgnvu8$e2o$1@titan.btinternet.com&rnum=1

    The quick easy cure (and definately one of my favorites)

    ip route 66.9.80.210 255.255.255.255 null0

    Please drive through...
     
    #4 netwrkr, Aug 21, 2003
    Last edited: Aug 21, 2003
  5. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Block HostIsCheap from browsing your sites. He probably is browsing all your domains with some program, and that program inserts its titles. I've seen spiders do this so can he.

    You can block those IP addresses he uses.. and that will be end of that.

    Another example:

    66.147.154.3 - - [01/Aug/2003:10:12:28 -0500] "GET /robots.txt HTTP/1.0" 404 0 "-" "http://www.almaden.ibm.com/cs/crawler [c01]"

    See, they autoinserted their referrer themselves, so it's just apache picking it up and logging it.

    Brenden

    cPanel.net Support Ticket Number:
     
  6. Jeff75

    Jeff75 Well-Known Member

    Joined:
    Apr 11, 2003
    Messages:
    555
    Likes Received:
    0
    Trophy Points:
    16
    You can translate that webpage here: http://babelfish.altavista.com/

    I asked a friend to see if this was showing up in his logs (because he doesn't use cPanel and is in a different DC) and it's also showing up in his as well.

    cPanel.net Support Ticket Number:
     
  7. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    You could write a script to go through ALL logs and replace "www.HostItCheap.com" with your own website name :)

    Brenden

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
  8. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    The heck with a script, just break out sed and have fun :)

    cPanel.net Support Ticket Number:
     
  9. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Hehhe i was starting to think i was the only one...

    Yep, not a cpanel issue, but mybe nick could came with one of his scripts... (maybe) :)

    There should be a way to block the user agent in httpd.conf instead of .htaccess because is showing on every damn account on my server.
    Something like deny any header that contains hostitcheap.com (or something like that.. i'm not that good with apache.)

    cPanel.net Support Ticket Number:
     
  10. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
  11. luis

    luis Well-Known Member

    Joined:
    Sep 3, 2001
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    Ok i found a way to stop the spam inside httpd.conf but it requieres some mad httpd.conf editing so if youre going to try it be carefull and do nothing without backing up the file.

    There's no good on blocking the IP since they can always use other IP, the best way (IMHO) is to look for requests for any page on the server using that referal and tell apache not to log it.
    If the visit is not on the apache log it won't be on any stats program.

    First: on your httpd.conf just before your first virtualhost entry:

    SetEnvIfNoCase Referer hostitcheap dontlog

    Second: On every virtualhost entry there is an entry like this:

    CustomLog domlogs/domain.com combined

    Just add this to the end of the line:

    env=!dontlog

    So it will look like this:

    CustomLog domlogs/domain.com combined env=!dontlog

    That´s it! The nice thing about this is that you can add more sites to the block... for example if you are receiving a similar type of spam from porn-site.com just add this line below the first one:

    SetEnvIfNoCase Referer porn-site dontlog

    There should be a way to add the env=!dontlog automaticly to the end of every CustomLog line... Maybe the folks at cpanel could come up with some script? :)

    (IMPORTANT: i have done very little testing on this so I'm not sure if this will work on every server.)

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page