PDA

View Full Version : What happened to BotBuster?


SLix
August 28th, 2004, 12:10 PM
Hi all! I have been having major problems locking down my installation of PhotoPost, and protecting it from all the hackers and leechers who are desperate to get to the movie file content.

I thought BotBuster would be the answer as PhotoPost seems to support it. However, I ordered BotBuster, waited 24 hours, waited another 24 hours, and nothing. Wrote them.... no reply. No charge on my credit card although I did receive a confirmation email after the billing process.

I have written to them several times, and never had a reply. I may try phoning them later, but.....

..... I was wondering if anyone knows what's going on? Where are they?



I really need a system like botbuster to protect my data directories. Does anyone know of a good alternative to limit unauthorised access to the data directory, and to block unwanted bots and downloaders?

I know I could use .htaccess and indeed I do, but I can't get that to work exactly as I want it to.... more about that later and in another thread though.

Thanks for now!

Chuck S
August 28th, 2004, 12:57 PM
htaccess works just fine for preventing hotlinking

You can use the admin feature of disabling right click to keep people from downloading movies.

SLix
August 28th, 2004, 01:54 PM
htaccess works just fine for preventing hotlinking

You can use the admin feature of disabling right click to keep people from downloading movies.

Hi Omegatron - I don't want to prevent my members from downloading the files. I want to stop non members from accessing them direct from the data directory. PhotoPost's anti leeching (no right click) will only stop members, and even then, will only stop them if they have javascript enabled.

My main problem is people posting the URLs of the files in the data directory on other sites, forums etc.

Although I have an htaccess file guarding the data directory from hotlinking, it does not block people who type the URL straight into their browser, or who use a download bot such as NetAnts, gozilla etc.

Example 1 htaccess.
#########################################
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
RewriteRule .*\.(mpg|mpeg|mov|wav|mp3|avi|rm|ram|qt|ra|zip|aiff)$ http://www.domain.com [R,NC]
#########################################

If I set the htaccess file to block access from URLs typed direct into the user's browser, it prevents my members from being able to watch movies, or right click and use "Save target as....".

Ecample 2 htaccess.
#########################################
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
RewriteRule .*\.(mpg|mpeg|mov|wav|mp3|avi|rm|ram|qt|ra|zip|aiff)$ http://www.domain.com [R,NC]
#########################################
("RewriteCond %{HTTP_REFERER} !^$" line removed)


There must be some way I can get around this limitation, and block all outside referes from the data directory, and leave my members free to view and download movies.

I have seen the subject of data directory security, and htaccess files a number of times on these forums, so I know I am not the only one having these problems. For me it's the hardest part to get right with PhotoPost. I have been trying sinse March when I installed it, and now, 5000 members later, it's approching 500GB transfer per month, and most of that is through theft!

For now, I have used the htaccess method 2 (above) which prevents anyone from downloading the movie files, and in my forums I have posted instruction on how to add files to favorites and download them as a zip file, but loads of members are having problems getting that to work, so that's not the answer either.

I hope to start charging for access to some areas of the gallery soon, so it's got to be made secure, yet user friendly for registered members.

Sola
August 29th, 2004, 12:23 AM
Forget Botbuster. The guy promised more than he could deliver and took off with our money.

SLix
September 1st, 2004, 08:25 AM
Forget Botbuster. The guy promised more than he could deliver and took off with our money.

Oh, no wonder I can't get any answers from them then. Bad lick! :(

DerekT
October 1st, 2004, 07:23 PM
I had a serious hotlinking issue where I was going through 400 GB in a day. People were hotlinking my multimedia files in a serious way. I was able to correct the problem and still allow people on the site to view them.

The code below assumes you are using Apache and have your data files structured like www.domain.com/data/

If a person requests a multimedia file, it checks for a valid referrer. If there is no referrer then it checks for the login cookie of ppid. Most players do not pass a referrer variable and that is why your previous attempt failed. This code will check for the login cookie and if a member is logged in, they can view the movie.


<Directory /var/www/html/data>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com.*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*ppid=.*$
RewriteRule .*\.(gif|GIF|jpg|JPG|jpeg|JPEG|png|PNG|bmp|BMP)$ - [F]
RewriteCond %{HTTP_REFERER} !^http://domain.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com.*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*ppid=.*$
RewriteRule .*\.(mpeg|MPEG|mpg|MPG|avi|AVI|mov|MOV|asf|ASF|wmv|WMV)$ - [F]
AllowOverride None
Order allow,deny
Allow from all
</Directory>

SLix
October 1st, 2004, 11:55 PM
Hey Derek, that is pretty much exactly what I have been looking for. However, I am getting a 500 server error when I use that in my htaccess for my domain and data path. Also my installation of PP is integrated with vB3, so what should I put for the cookie information?

thanks

DerekT
October 2nd, 2004, 09:48 AM
I am not sure why you are receiving a 500 error. I am running Apache 2.0 on a Linux RHE3 dedicated server. Not sure if system versions or OS have anything to do with it. I am sure that this will work in your htaccess file however, I placed them in the httd.conf file for preformance reasons. Once you get it working their, you may want to consider that as well.

If you have intigrated with a forum script, you will need to change the cookie name of ppid to the cookie name that your forum writes after a member has logged in.

In my above example, I allowed images to have no referrer, my domain in the referrer or the login cookie. For multimedia files, you either have to have the referrer passed or have a cookie. I am not too concerned with a few people who cut and paste an image URL into a browser so an image shows up. Im my past experience the multimedia hotlinking was the real bandwidth eater.

Hope this helps.

Chuck S
October 2nd, 2004, 10:58 AM
RewriteCond %{HTTP_COOKIE} !^.*bbuser=.*$

FOR VB3 DEFAULT


Now as a side note the above will not work for everyone depending on what hosts allow or dissallow.

SLix
October 2nd, 2004, 07:59 PM
For some reason my server doesn't want to know. Even removing image files from this protection, it blocks all thumbs and full size images. Clicking on a movie link, produces a 500 error.

I am running apache on redhat, and my server uses cPanel/WHM.

What is the [F] directive?

I am just wondering about the:
AllowOverride None
Order allow,deny
Allow from all

I have other htaccess files on this site, including in the main html directory. This cookie htaccess file I am putting in the data directory it's self. Maybe that is causing some sort of conflict? Any advice would be very helpfull.

DerekT
October 2nd, 2004, 08:14 PM
Here is some info on the tage:

[R] = Redirect the request to a new file. In this case it is going to return the hotlink.jpg
[L] = Stops the Rewrite process
[F] = Returns a Forbidden code 403, thus the little "x" from anyone trying to leach.
[NC] = no case
[OR] = switches to the next Rewrite Condition

Here is a detailed document for the other options:
http://docs.rinet.ru/CP7/ch12.htm

Hope this helps.

HobbyTalk
October 3rd, 2004, 11:03 AM
Here is what I use... it serves up a "stolenimage.gif" image for for visitors of site that hotlink. I have two domain names that point to the same site, thus you see mydomain1|mydomain2. This is placed in the data directory


RewriteEngine on
IndexIgnore *
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www\.(mydomain1|mydomain2)\.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(mydomain1|mydomain2)\.com.*$ [NC]
RewriteRule .*\.(jpg|jpeg|gif)$ /full/server/path/to/stolenimage.gif

HobbyTalk
October 3rd, 2004, 11:07 AM
As a note: anyone that uses any type of proxy server will not be able to view the images or files even if they are on your site. This included software such as Norton Internet Security and Zone Alarm.

DerekT
October 3rd, 2004, 11:14 AM
Instead of sending a 403 Forbidden error to the end user, this would show the stolenimage.gif to them. It is a matter of choice on what the end result would be.

If customers use Norton Internet Security and Zone Alarm, those programs modify the referrer and that is why it will not work for them. They would need to enable referrer passing for your domains or make it pass a blank referrer. I have found that writing a help page describing the necessary changes in a step by step manner to cut way down on emails asking for help.


RewriteEngine on
IndexIgnore *
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www\.(mydomain1|mydomain2)\.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(mydomain1|mydomain2)\.com.*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*bbuser=.*$
RewriteRule .*\.(jpg|jpeg|gif)$ /full/server/path/to/stolenimage.gif
RewriteCond %{HTTP_REFERER} !^http://www\.(mydomain1|mydomain2)\.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(mydomain1|mydomain2)\.com.*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*bbuser=.*$
RewriteRule .*\.(mpeg|mpg|avi|mov|asf|wmv)$ /full/server/path/to/stolenimage.gif

Chuck S
October 3rd, 2004, 11:48 AM
Usually as a result I like to make sure there is no bandwidth theft. I use this

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://reeftalk.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://reeftalk.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.reeftalk.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.reeftalk.com$ [NC]
RewriteRule .*\.(mpg|mpeg|mov|wav|mp3|avi|rm|ram|qt|ra|zip|aiff|jpg|jpeg|gif|png|bmp)$ - [F,NC]

Please note everything is personal preference. I just choose to show nothing as even showing a stolenimage.gif file while relatively small is bandwidth theft by your choice. Take search engines by choice. Your stolenimage.gif say is 5k and 2 million imagelinks and each of those links get one hit a month that still results 10000000kilobytes of transfer or 9.53674 gigabytes of bandwidth.

Johnny Doomo
October 6th, 2004, 10:15 PM
So if you use a htaccess file at all are you saying that people that use Norton Internet Security or Zone Alarm will get image place holders over my entire gallery if they don't read a message that tells them how to fix it?

I am thinking of using a htaccess, but if that is the case I am more worried about using one, that simply getting more server bandwidth and let my watermarks do my advertising for me.

I don't want to make it a hassle for visitors that are support to be able to see the images, but if possible I want to block people that are stealing my bandwidth from post my images on their site or posting the data directory url so users can bypass my banners.

Can somebody help find out what the best solution for me?

Thanks.

SLix
October 7th, 2004, 05:19 AM
So if you use a htaccess file at all are you saying that people that use Norton Internet Security or Zone Alarm will get image place holders over my entire gallery if they don't read a message that tells them how to fix it?

I am thinking of using a htaccess, but if that is the case I am more worried about using one, that simply getting more server bandwidth and let my watermarks do my advertising for me.

I don't want to make it a hassle for visitors that are support to be able to see the images, but if possible I want to block people that are stealing my bandwidth from post my images on their site or posting the data directory url so users can bypass my banners.

Can somebody help find out what the best solution for me?

Thanks.

Users of Norton Internet Security, Zone Alarm, or anything else that blocks headers will be treated as an imposter by your htaccess/apache. BUT only if they have it setup to block headers. By default, they do, and most users don't even know it!

It may be a better idea to protect your whole photopost directory with htaccess, and have it redirect them to a page with simple instructions on how to setup their privacy software "properly".

Johnny Doomo
October 7th, 2004, 02:45 PM
Would it only redirect people that has it setup incorrectly or would it redirect everybody? And if it only redirects those with it incorrectly setup, what happens if the image is linked from another one of my sites and somebody that has these programs tries to view the image? Wouldn't it just show them the stolen image and they would still have no clue that it was them and not the site?

Sounds like either way using these preventative processes, you still limit your users... no matter how small a % it may be. Is that a correct assumption?

I really don't want to show dead or stealing images to anybody that should be seeing the pic just fine.

SLix
October 7th, 2004, 05:07 PM
Would it only redirect people that has it setup incorrectly or would it redirect everybody? And if it only redirects those with it incorrectly setup, what happens if the image is linked from another one of my sites and somebody that has these programs tries to view the image? Wouldn't it just show them the stolen image and they would still have no clue that it was them and not the site?

Sounds like either way using these preventative processes, you still limit your users... no matter how small a % it may be. Is that a correct assumption?

I really don't want to show dead or stealing images to anybody that should be seeing the pic just fine.

You can setup any redirection you like, to any page you like, instead of showing a stolen image. You can add your other domains to the htaccess so that they will be valid referers.

Yes it will limit some of your visitors to some extent, but you may find that preferable to having your bandwidth stolen by other sites linking directly to your files!

Depending on your line of business, people using stupidly high security such as private headers etc, are not good for business, as they more than likely have cookie blockers too which may mean that you are not credited for affiliate sales, advertising revenue, or link exchanges. Further more they are probably also likely to have ad blockers running. So their value to you as a business, may be very limited. So maybe you shouldn't loose too much sleep over them.

Johnny Doomo
October 7th, 2004, 07:49 PM
OH! OK that helped me understand it a lot better. So which of the above, or can somebody post an htacess that will do what you say and allow multiple domains, and allow me to redirect with a message.

If there is a way to show the message to only those that are seeing the dead images that would be great so that I don't have to show the message to every user viewing my gallery.

bhuwan
February 12th, 2006, 10:25 PM
Is this still a workable solution?

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://DOMAIN.com.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.DOMAIN.com.*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*bbuser=.*$
RewriteRule .*\.(zip|mp3)$ - [L]


Doesnt seem to work :(

Chuck S
February 12th, 2006, 10:54 PM
http://www.photopost.com/tipsphp.html

Not familar with that specific rewrite rule your trying.

bhuwan
February 13th, 2006, 08:08 AM
http://www.photopost.com/tipsphp.html

Not familar with that specific rewrite rule your trying.

IS there any way to check for a vBUlletin cookie? To see if the user is logged in?

Chuck S
February 13th, 2006, 09:33 AM
Like I said I am not familiar with those specific mod_rewrite rules but a user cookie in vb is like bbuserid or bbpassword etc

Kempo
May 11th, 2006, 01:35 PM
umm, just checking my status