Meretrice,
remove his IP address from the post. No need for personally identifiable information

Hi. It might be better to just put:

deny from <his address>

in your .htaccess file.

That will deny him specifically from getting anything. He may switch to another IP, though.

Also -- you mentioned your .htaccess was read-protected: this will not work on some servers because Apache needs to be able to read it in order to know what rules to apply. I'm not sure if this is the case on yours, but if you're not getting the expected results, that may be something to check.

JK

Hi,

You could try:

RewriteEngine on
RewriteCond %{HTTP_REFERER} hot-linker\.net [NC]
RewriteRule ^dir/imagebeingstolen.jpg /dir/goaway.jpg [R=301,L]

Andrew

[edited by: jdMorgan at 5:34 pm (utc) on Feb. 13, 2006]
[edit reason] Obscured specifics. [/edit]

PS.
You might want to redirect to an image on a bit of free web space to stop so much of your bandwidth being used.

Andrew

A useful technique to temporarily alleviate such problems is to rewrite the malicious requests to a subdirectory on your server. In that subdirectory, create an .htaccess file with only a few directives in it:

ErrorDocument 403 /[b]local-path[/b]-to-this-subdirectory/403.html
RewriteEngine on
RewriteRule !^403\.html$ - [F]

Now create a blank file called "403.html" in that same directory.

In the main .htaccess file, rewrite the hotlink requests to this subdirectory. Any request to this subdirectory will be Forbidden by the RewriteRule, except for the 403.html content supplied in response to the request. Since the filesize of 403.html is zero, this will minimize your bandwidth loss.

Another approach would be to simply redirect all such requests back to the referring source -- throw the problem back at the hosts where the problem originates. However, that creates extra traffic on the internet, and I don't favor such solutions unless all others have failed. In other words, contact the abuse department of the sites hosting the referring pages, and ask that those pages be disabled or removed, since they are effectively creating a denial-of-service (illegal) attack on your site. If that fails, then this second technique might be defensible and worth trying.

Jim

Sorry about the specifics. Newbie mistake. :)

Regarding the redirect to another directory, I have a few questions:

1) According to my server logs, this guy is must be getting a Code 302 - Found. Rather than the Code 403. What would happen if I re-directed the Code 302s?

2) My main objective is to reject his pings (or whatever he's doing) entirely. How can I keep him from hitting my site? Can I just reject his IP address or his referrer?

3) If I do the re-direct, should I keep the rest of the .htaccess file as it is now, but with the new re-direct rules added?

Thanks for your help!

Meretrice

Hi,

The following blocks any request with a referer containing the string "hot-linker.net":

SetEnvIf Referer "hot-linker\.net" blocked_hotlinker
Deny from env=blocked_hotlinker

Or you can block the guy by IP:

Deny from 24.168.**.187

Or you block everyone from his ISP:

Deny from rr.com

(The last one is inadvisable)

Andrew

[normally get 50,000-60,000 hits a day. With his antics, I am not approaching 2 MILLION hits a day]

The last time I saw my usage spike like that was when I goofed up mod_rewrite and kicked off a heckuva server-to-server loop. (Ooops...)

So if you're still trying to get things to work correctly, you might want to take a few minutes and start fresh -- remove (or comment-out) what you've been trying to do in .htaccess regarding this particular referrer to see if the numbers drop to their 'normal' levels.

If they don't drop almost instantly, at least you'll know you're not looping.

(And when all is said and done, and working, I'd find the specific IP's abuse@ info through WHOIS and complain, and keep complaining. Wishful thinking, I know, but you never know.)

Good luck!

Okay, I've updated my htaccess with the SetEnvIf command. *crosses fingers*

I'll let you know what happens. Thank you everyone for your advice.

April

Pfui, i agree with you. this has to be a code error, no way, even a malicious attack, can go from 50,000 hits to 2,000,000.

OP, in your logs, do you have the referrers and where the hits are coming from? have you checked out those sites?

Yes I do. The hits are coming from a Roadrunner IP address. I do not use Roadrunner for my internet access.

The referrer is a forum website The vast majority of the hits are coming off a showthread.php page and so I can't view those pages directly. However, other pages that I hitting my site I have been able to view, and there are posts on the forum pages that are hotlinking to my images. My htaccess *is* preventing those hotlinks from displaying the images. It *should* show stealing.jpg instead, but it isn't doing that. I don't know why.

The hits are less than they were yesterday, but they are still going up.

I posted my original htaccess file in the first post. I am perfectly willing to admit that I know very little about how the commands work, and there could be an error.

Does anyone see where I made a mistake that caused this problem?

Thanks for your help.

Meretrice

well, your htaccess looks different from the one I use. also, the image will not show up if it's any extension except .png. the .png will show the alternate image. to see which thread was using your image after showthread.php, you need a log analyzer, do you have one running on your site?

here's my htaccess.

RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://(www\.)?yoursite\.com [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?google\.com [NC]
RewriteRule \.(gif¦GIF¦jpg¦JPG)$ /your-sub-image.png [L]

Faster:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite\.com [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google\.com [NC]
RewriteRule \.(gif¦jpg)$ /your-sub-image.png [[b]NC[/b],L]

Serve same image type:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite\.com [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?google\.com [NC]
RewriteCond %{REQUEST_URI} !^/your-sub-image\.
RewriteRule \.(gif¦jpg)$ /your-sub-image.$1 [NC,L]

Jim

Thank you Jim,

That serves up the substitute image nicely when trying to hotlink a JPEG. I get a broken image icon when trying to hotlink to a GIF. The substitute image is a JPEG, is this why? Do I need a substitute GIF image also, to cover my bases?

Meretrice

You might also try contacting the forum owner and ask them to change the forum settings to prevent this kind of thing (avatar linking to offsite image) - you might find them receptive. It be allowed on the forum simply because the owner isn't aware of the issues.

I just want to say a big THANK YOU to everyone who helped me with my .htaccess problem. My traffic has gone back to its normal levels so it looks like my problem is solved. Everyone's advice was great and I appreciate all the help I received.

Meretrice