Banning a hijacker

Forum Moderators: phranque

Message Too Old, No Replies

Banning a hijacker

how do I do this?

Stefan

1:31 pm on May 11, 2004 (gmt 0)

I have a low-life "directory" that has just put our site in their list. I saw the referer in the logs like this: [theirsite.de...]

If you click on it takes you to our website with this URL showing: [theirsite.de...] and stays like that as you click through our internal links, with the content being lifted from our site as it happens, (you can see it in the logs).

I sent an email telling them to get if off, but how do I ban this stuff using Apache or prevent them from lifting my content into their URL?

jdMorgan

2:24 pm on May 11, 2004 (gmt 0)

Stefan,

The answer depends on how they are including your content. If they are simply framing your site, you could use a common JavaScript escape-from-frame script to take back 95% of your traffic (about 95% of users have JS enabled).

If they are using an iFrame, then you would need to block their server from accessing your content.

Do a view-page-source on their copy of your page, and see *how* they are displaying your page.

Jim

Stefan

2:32 pm on May 11, 2004 (gmt 0)

Many thanks, Jim. It looks like Javascript.

<HTML>
<HEAD>
<TITLE>xx</TITLE>
<script language="Javascript">
self.focus();
</script>
</HEAD>
<FRAMESET NAME=MAIN ROWS="38,*" FRAMEBORDER="no" BORDER="0">
<FRAME NAME="TOP" SRC="leiste_einfach.html?query=&search_type=&url=http%3A%2F%2Fwww.xx.org&tag=&optfam=" FRAMEBORDER="no" MARGINWIDTH="0" MARGINHEIGHT="0" SCROLLING="no">
<FRAME NAME="CONTENT" SRC="http://www.xx.org">
</FRAMESET>
</HTML>

If I could bug you one more time, I should be reading up on, "JavaScript escape-from-frame script"? I've never done any scripting... guess it's time to learn some new skills.

gergoe

2:38 pm on May 11, 2004 (gmt 0)

it is not as difficult as it sounds; it does check what's the location of the topmost frame (top.location.href) and the document where the script is running (location.href) and it these two aren't the same, then replaces the document in the topmost frame with the one where the script is running. in short words, if your page is being requested in a (sub)frame then it replaces the document in the browser with the correct one.
it is about this:


<SCRIPT LANGUAGE="JavaScript">
if(top.location.href!=location.href) top.location.replace(location.href);
</SCRIPT>

gergoe

2:44 pm on May 11, 2004 (gmt 0)

by the way, they use javascript only for requesting the focus for their window from the os, not for displaying your page. your page is being fetched by some server-side script, which does the http request.
if you have access to the logs produced by the apache, then you can check what's the ip address they use for this purpose, or if you have extended log, then you can see what sort of user-agent the hijacker uses, so you can deny the access to them either with the mod_access either with the mod_rewrite.

Stefan

2:47 pm on May 11, 2004 (gmt 0)

Great stuff, Gergoe.

Now I have to figure out the location part... my blo*dy dial-up connection is intermittent at the moment. I'm having a hard time searching info on it. That script will just go in the html of the index page, (which is where they are arriving), will it?

ADDED:

It's coming in on my own IP when I click on it, I thought of banning the IP right off the bat, but realized I couldn't. Here is the logs. The IP# showing up is my own intermittent dial-up connection.

209.x.x.x - - [11/May/2004:07:12:55 -0600] "GET / HTTP/1.1" 200 3435 "http://www.low-life-thieves.de/leiste/?url=http%3A//www.oursite.org" "Mozilla/5.0 (Windows; U; Win 9x 4.90; en-US; rv:1.6) Gecko/20040206 Firefox/0.8"

gergoe

2:54 pm on May 11, 2004 (gmt 0)

you can put this script into every page you'd like to "protect". the script is ready to use, you don't need to change anything (well; I just don't understand why you are looking for the location ;-)

gergoe

2:59 pm on May 11, 2004 (gmt 0)

i've just noticed your addition to your last post, and checked the html source you posted once more, and realized that i made a mistake; they don't use server-side script for fetching your site, only a simple frame, where your site is being loaded. so it means that you can't ban them just like that. the best is to use the javascript code mentioned above.

Stefan

3:04 pm on May 11, 2004 (gmt 0)

Right on. I'll add it to the index.htm and see what happens.

Thanks again, man.

Stefan

3:19 pm on May 11, 2004 (gmt 0)

Hmmm...

It doesn't appear to be doing it. I put the code in the <head></head> of the index.htm... clicking on the low-life URL still shows my index with their URL, "http://www.them.de/leiste/?url=http%3A//www.oursite.org", and it clicks through to the other pages with that URL.

ADDED:

I haven't been able to find the link on their site yet... the whole thing's in German, and has many categories of links, must be hundreds or more. Maybe if I click on their original link it would work? I'm still tryin the one I got from the logs...

bird

3:36 pm on May 11, 2004 (gmt 0)

<SCRIPT LANGUAGE="JavaScript">

This is NOT standard HTML, and may fail in standards conforming browsers. Use the following instead:

<script type="text/javascript">

Stefan

3:57 pm on May 11, 2004 (gmt 0)

That doesn't work either... maybe I'm confused on what I'm doing...

What I want is that when someone clicks into our index.htm from their site, and then into internal pages, that it breaks out of having their URL prefaced to ours. I can see a SE coming in on their link to us, then following it through our site, and seeing it as part of theirs, then we have dupe content problems...

jdMorgan

6:11 pm on May 11, 2004 (gmt 0)

Stefan,

Try the following variation. It is subtly different, and may work for you. Of course, you must have JS enabled in your browser to see the effect of either version.


<script language="JavaScript" type="text/JavaScript">if (parent.frames.length > 0) top.location.replace(document.location);</script>

Also, you must flush your browser cache and any other caches you control to be sure you load your new page with the frame-buster on it.

Jim

Stefan

6:55 pm on May 11, 2004 (gmt 0)

Brutal, Jim... that did it.

I hadn't tried clearing the cache before, and had only tried with Firefox. Whether it's the new code, or clearing the cache, it works like a charm now. I chekced it with Firefox, Netscape 7, and IE, and it's good in all of them. It finally breaks my pages out of the ab*ut.com frames too, (they have links to 5 different pages on my site, all from one page). Wicked. I'm going to stick that code into a bunch of other pages.

This is a question for a different forum, (and I'll have to try the site search), but I wonder if G, Y, and MSN, see the javascript, and if not, if they are fooled by that bogus linking form into thinking the Directory site has all those linked pages on its own site. I'll check around elsewhere on WW.

Many thanks Jim, Gergoe, and Bird.

tafkar

6:02 am on May 12, 2004 (gmt 0)

Just for curiosity:

Does this framebraker script help against iframes as well or just against regular frames? If not, is there a way to break out of an iframe?

No, I'm not intending to hijack someones pages via iframe. I just run over a site who did just that and I want to prevent my sites from being hijacked that way.

gergoe

10:32 pm on May 12, 2004 (gmt 0)

this is much more related to the browsers than to the webservers, i suggest you to post this question to some web page authoring forum. although i think the iframes are also available in some collection (all, frames or whatever) in the browser, so there is some way i'm sure about it, but this completely depends on the browser being used; ie, i don't think that the internet explorer and the netscape uses the same methods, objects for this, so take care with this