1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 6:10 pm May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

website bandwidth spamming

         

ekiken

5:21 pm on Aug 22, 2007 (gmt 0)

10+ Year Member



Hi,

I currently have a website that is being spammed and the bandwidth used up is about 16-20 gb per day. I checked the cpanel's latest visitors and it shows that every few seconds a unique visitor will visit my website. Under the logs, it shows these: 


Host: 72.130.***.147
 /picture/abc.jpg 
 Http Code: 200 Date: Aug 22 12:15:21 Http Version: HTTP/1.1 Size in Bytes: 14099 
 Referer: http://www.example.com/?hop=sslorder 
 Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) 
 
 /?hop=sslorder 
 Http Code: 200 Date: Aug 22 12:15:21 Http Version: HTTP/1.1 Size in Bytes: 146526 
 Referer: 1 
 Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322) 
 
 
 /WMM_TYPE01_BLUE.SWF?f=def.mp3&m=manual&l=no 
 Http Code: 200 Date: Aug 22 12:15:21 Http Version: HTTP/1.1 Size in Bytes: 805 
 Referer: http://www.example.com/?hop=sslorder 
 Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

and a lot of other files with the same referer http://www.example.com/?hop=sslorder where www.example.com is my own website. And each time the "Host" shown in the log is different. I heard that rewriting the url based on the referer will help but I have no idea on how to start. And will it cause other referers like http://www.example.com/?hop=realaffiliate to be unable to visit the website? Urgently need help. Thanks.

[edited by: jdMorgan at 9:34 pm (utc) on Aug. 22, 2007]
[edit reason] Exampl.com. obscured IP address [/edit]

jdMorgan

9:36 pm on Aug 22, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



If you would explain what "hop" is, and how to tell a good hop from a bad one, you will likely get a better response... No-one here knows your site like you do, and solving such problems often requires knowledge of many details.

Jim

ekiken

8:44 am on Aug 23, 2007 (gmt 0)

10+ Year Member



Hi,

actually the site index is an html file without any scripts. Hop is just a clickbank affiliate style of identifying the user i supposed. There are no variable of "hop" mentioned in any of my pages. But I've checked the affiliate database that this sslorder is not in my affiliate database.

jdMorgan

12:46 pm on Aug 23, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



OK, are you currently using mod_rewrite successfully for other purposes on this server?

Jim

ekiken

3:03 pm on Aug 23, 2007 (gmt 0)

10+ Year Member



I am not using mod_rewrite as i dont know how to go about doing it but my htaccess file has frontpage extension stuff that was added automatically..

jdMorgan

8:14 pm on Aug 23, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



OK, then. Start with the basics. Please test this in your 'home' directory .htaccess file: 

Options +FollowSymLinks
RewriteEngine on
RewriteRule ^foo\.html$ http://www.google.com [R=301,L]

Once it is installed, request the page /foo.html from your server. You should end up at google.

This will decide:
Whether you can use mod_rewrite
Whether you need, and are allowed to set Options
Whether mod_rewrite is installed and allowed on your server.

If you get a 500-Server error right away, delete the first line - The "Options" line. This line will either be needed and allowed, won't be needed, but will be allowed, or won't be allowed -- There is no way to tell without tersting.

If it still doesn't work, then you can't use mod_rewrite.

If it does work, then we can proceed with the more complex stuff.

Jim

ekiken

12:41 am on Aug 24, 2007 (gmt 0)

10+ Year Member



yes the above works.

jdMorgan

12:55 am on Aug 24, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This will cause the server to respond with 403-Forbidden to requests with that referring domain and query, but from any 'page' on that referring domain: 

Options +FollowSymLinks
RewriteEngine on
#
RewriteCond %{HTTP_REFERER} ^http://www\.bad-domain\.com/[^?]*\?hop=sslorder
RewriteCond %{REQUEST_URI} !^/path-to-your-custom-403-error-page\.html$
RewriteRule .* - [F]

The second RewriteCond is only required if you have a custom 403 page (as defined by ErrorDocument 403 in your httpd.conf or .htaccess file). If you don't have a custom 403 page, delete the second RewriteCond.

The first RewriteCond assumes that the referrer is always the same domain, and always with a "hop=sslorder" query string. If the domain changes, and "sslorder" is always an invalid "hop" value, then you could shorten that line to: 


RewriteCond %{HTTP_REFERER} \?hop=sslorder

The trick, as always, is to make the trap wide enough, but avoid catching any innocent visitors... This is done by making the rule as specific as possible without allowing the bad guys through.

Jim

ekiken

2:17 am on Aug 24, 2007 (gmt 0)

10+ Year Member



alright thanks a lot.. Shall try that in a while..
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 6:10 pm May 2, 2026