tdb Posted April 29, 2003 Posted April 29, 2003 Hi, I’m hoping to get some insight and some help. I have someone “getting” my images from a slide show on my site. It has been looping with a 200 code for 10 different images, one every 3 seconds. It’s been going for a day now and it’s obviously eating up my bandwidth. I’m fairly certain they have stolen my javascript for the slide show and are accessing my images from their site since there’s no caching of the images. Unfortunately, the referring field just shows the “-“ symbol on the “latest visitors.” I have their ip address, but I’m not sure how useful that is on its own. I’ve tried hotlink protection, which then pulled up 403’s, but it messed up some other things, so no more of that. I have also renamed the images so it pulls up 404’s. Right now, I have new jpg’s saying they have stolen my images. So far, no luck in getting them to stop so I may have to go back to the 404 errors. If they pull up hundreds of 404’s does that use bandwidth as well? I’m also concerned that it’s messing up my statistics and my logs. Thanks for the help! I know you guys don’t want them eating up my bandwidth any more than I do! Quote
dozure Posted April 29, 2003 Posted April 29, 2003 if you go to www.dnsstuff.com and do an IPWhois on the IP you have, you might get lucky. You can get the domain name its coming from if they're on a dedicated server. Probably won't help much, but it's worth a shot. Quote
Head Guru Posted April 29, 2003 Posted April 29, 2003 You need to enable hotlinking protection it will stop them dead! http://www.cpanel.net/docs/cp/hotLinkPreventor.htm Quote
dozure Posted April 30, 2003 Posted April 30, 2003 You need to enable hotlinking protection it will stop them dead! http://www.cpanel.net/docs/cp/hotLinkPreventor.htm not to contridict you, but he said he tried that and it messed some other things up. Only thing I can think of to try to stop them is try to track them down as I mentions above, or rename the images, and take the page you have the slide show on and make it open in a new window without the menu bar, and stick a little piece of jscript in there to disable right clicking so they cant see the new filenames. thats not perfect as they can still right click the link to the page and do save as and get the source for the page to get the filenames, but its an idea.... Quote
TCH-Rob Posted April 30, 2003 Posted April 30, 2003 This may sound silly but cant you use the IP Deny Manager in CPanel if you have the IP address? Quote
Head Guru Posted April 30, 2003 Posted April 30, 2003 Submit a help desk ticket. This is what hotlinking protection is for. Either you didnt set it up right or something went wrong, but it works Quote
KevinW Posted April 30, 2003 Posted April 30, 2003 Good point, Bill, about using HotLink Protection. -kw Quote
tdb Posted April 30, 2003 Author Posted April 30, 2003 Thanks all for your replies. I always really appreciate the help in this forum. I retried the hotlink protection and I'll be darned if it don't work! I can't upload to my site but I just disable it and then re-enable it afterward. Fine by me, but the guy is now just getting a continual loop of 403's which I sincerely hope stops before he ruins next month's stats too! But for now, I'm happy (as much as possible with a goober accessing my site!) At least the Lakers won (my sincere apologies to any Wolves fans, but it sure did help my mood). Thanks again! Quote
Head Guru Posted April 30, 2003 Posted April 30, 2003 tdb - pm if Bandwidth becomes a issue for you, we will donate some to your site for the month if needed. Quote
tdb Posted April 30, 2003 Author Posted April 30, 2003 Wow! I really appreciate that. I've got lots of leeway since it started at the end of the month, but thank you! I tell you, my experience with TCH is great. You're always on the tip of my tongue if anyone mentions needing hosting. Just wondering, do the error codes use any bandwidth? If so, I'll have to talk to this guy's isp if it's still going on after a little while. Weird stuff! You gotta wonder what he's doing with all these errors being returned! Quote
matman Posted April 30, 2003 Posted April 30, 2003 If all the requests are coming from just one IP address, then it is quite weird indeed! Conventional bandwidth-stealing hotlinks are IMG tags whose SRC is on your domain instead of the domain of the page that contains the link. If that is what's going on, you should see lots of hits to the image(s) from lot of different IP addresses belonging to the visitors to the thief's site. It sounds like you're saying that in this case one IP is hitting these images over and over and over again. Why would anyone do that? Just to be a jerk? Almost like a low-intensity DOS attack? Quote
tdb Posted April 30, 2003 Author Posted April 30, 2003 Exactly! My guess is he stole my javascript for my slide show and left it running while linking to my own images. I don't know, maybe a weird theory but it's pretty hard to think up realistic scenarios where this might happen. Quote
Head Guru Posted April 30, 2003 Posted April 30, 2003 Reporting them to their ISP is a dead end. Unless it comes from the host, they will file your complaint in the File 13 bin. What is the domain name? Let me get involved, I would like to see what kind of attack Matman thinks is happening. Quote
tdb Posted April 30, 2003 Author Posted April 30, 2003 That would be great. Unfortunately, there's no domain name given in the referrer field on my log. The IP is 65.42.80.123 but that's all the information I have to go on. Quote
TCH-JimE Posted April 30, 2003 Posted April 30, 2003 Hi, If you do a tracert to it, you can see thats its just a broadband user which I am guessing he is running is website from. Using CPANEL you should be able to deny this IP address and your problems should be solved. Jim Quote
matman Posted April 30, 2003 Posted April 30, 2003 Yes, if all the requests are coming from just the one IP, then denying that IP would be more effective than hotlink protection in this case. It would also keep your stats from being effected. As for an attack, I'm not sure if that's the right thing to call it (although I guess I did earlier). But if there are requests coming with such frequency all from one IP, it would definitely NOT be the result of a website that references the images/script/whatever, since such a reference would result in lots of requests from lots of different IPs with the offending site as the referrer. Quote
tdb Posted April 30, 2003 Author Posted April 30, 2003 I don't know if I'm doing it wrong, but I've tried IP deny for his ip and nothing happens. Personally, that would be my choice of weapons, but no such luck so far. Anyone with any insight on what I could be doing wrong? Quote
matman Posted April 30, 2003 Posted April 30, 2003 Can you copy-and-paste a few lines from your raw access logs so we can look at exactly what's happening? Quote
tdb Posted April 30, 2003 Author Posted April 30, 2003 65.42.80.123 - - [30/Apr/2003:13:30:18 -0400] "GET /image001.jpg HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 65.42.80.123 - - [30/Apr/2003:13:30:22 -0400] "GET /image002.jpg HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 65.42.80.123 - - [30/Apr/2003:13:30:26 -0400] "GET /image003.jpg HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 65.42.80.123 - - [30/Apr/2003:13:30:30 -0400] "GET /image004.jpg HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" I have pages and pages of this. It accesses every 4 seconds in a loop (just like my own javascript slide show which I think they stole). Quote
matman Posted April 30, 2003 Posted April 30, 2003 Weird. Maybe they are using your javascript as an active desktop background or screensaver or something? Doubtful, I admit And you say that adding that IP to IP Deny on CPanel didn't do the trick? I would suggest submitting a helpdesk ticket and getting a guru to try it for you, because if you have IP deny on that IP you should NOT be getting any new logfile entries originating from that IP. Quote
tdb Posted May 1, 2003 Author Posted May 1, 2003 TCH Stones Ding Dong the Witch is dead! At 19:28:29 this dork stopped requesting my images. The TCH support staff reported him to his isp and I just hope they scared him out of doing this to anyone else. My hat's off to TCH! Thank you! Thank you! Thank you! Quote
greatfolios sysop Posted May 1, 2003 Posted May 1, 2003 EDIT: never mind, I didn,t read last post. Mr. Bill Quote
MRwisdom12 Posted May 28, 2003 Posted May 28, 2003 I would just like to say my hats off to Bill and his gang. I was just browsing through the forums and came across this article. I just have to say Bill and his gange are top notch. I think that is a awesome of TCH to donate "additional" badnwidth and to get involved in this situation. It just goes to prove - TCH Stones Quote
chuckmalani Posted May 28, 2003 Posted May 28, 2003 ya know what you should have done.... changed the images on your server to say "stop stealing my stuff you $&*#@(&" and had his site link to that. he would have changed it real quick.... chuck Quote
TCH-Don Posted May 28, 2003 Posted May 28, 2003 Yes that does work. It happened to me A site selling German Sheperds copied my k9 tribute page and inserted the whole page below thier top frame, and called it K9 Dogs, I found it by my stats, they were hotlinking my images. So I replaced the k9 dog pics with the caption on the page is 'We have all seen these wonderful dogs in action at the scene of the World Trade Center ' They took the page down after two days. Quote
curtis Posted May 28, 2003 Posted May 28, 2003 Turtle, That cat looks like it is REALLY ticked off. Did you make it that mad? Or it could be that haircut. curtis Quote
mrk504 Posted May 29, 2003 Posted May 29, 2003 You know what I usually do when someone steals my images? Forget hotlinking, I do something even better... I replace the image with another image about 10x bigger. I put a lot of mean words that I won't even get into. That'll teach that person a lesson. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.