Skip to main content
cPanel Technical Support has been heavily impacted by hurricane Beryl and our ability to respond to tickets has been hindered as a result. We appreciate your understanding and patience as we address these delays.

Blocking theft/hack

Comments

15 comments

  • cPanelMichael
    Hello :) That type of issue is best handled by blocking the IP address the connection is coming from, and sending an abuse report to the offending website's provider. You may need to try an alternate method of contacting the abuse department of the data center that hosts the website. Thank you.
    0
  • rhenderson
    [quote="cPanelMichael, post: 1473292">Hello :) That type of issue is best handled by blocking the IP address the connection is coming from, and sending an abuse report to the offending website's provider. You may need to try an alternate method of contacting the abuse department of the data center that hosts the website. Thank you.
    Michael, Thanks for the suggestions, I had already thought of those things, the issue is that the domains are using the IP in their A records, basically mirroring the site so there is no IP to block. The nameservers only list he.net, so we contacted them. There are no other records on the DNS for the offending domains. I could change the IP of the domain on my end to momentarily stop them, but once they figure that out they will just change their A records. Best I can do as things are is to stop hotlinking via the domain name which stops the images from showing on their side, but the content is still there.
    0
  • quizknows
    So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case: Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file: SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455" Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.
    0
  • rhenderson
    [quote="quizknows, post: 1473812">So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case: Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file: SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455" Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.
    Yes you are understanding this correctly...... I tried it in the modsec2.user.conf but got an error, I am seeing if I can figure out what the error is, if I can get this to work it is the perfect solution. Error parsing actions: ModSecurity: Invalid value for action ID: 3498240455
    0
  • rhenderson
    Changing the rule number took care of my error, but unfortunately it is not blocking the site. I tried it with and without the www SecRule SERVER_NAME "domain.com" "deny,log,auditlog,status:500,severity:'2',id:'11001100'"
    0
  • quizknows
    Ugh, they're just embedding everything. If you watch your access logs, do any IP's hit your server other than the IP you're visiting the bad site from? Anything good in the referring URLs?
    0
  • rhenderson
    Here is the log when I go to the fake site.... - removed - PS That IP is mine Going back further I did spot and IP 69.167.xxx.xxx that traces back to he.net via liquidweb, I am going to firewall it and see what happens. Update - It might block something they are doing but doesn't kill the fake site. Based on quizknows suggestion of using modsecurity I tried SecRule "HTTP_REFERER" "domain\.com" "deny,log,auditlog,status:500,severity:2,id:'1010101'" I guess it blocked portions of the offending site, it really screws up their layout, it does not completely block them but it sure makes it ugly.
    0
  • rhenderson
    I got messages back from the domain registrar, no help there because they do not host the site. HE.NET won't respond. at least the new modsecurity rule is making their rip off of our site look bad :-)
    0
  • theoxgr
    i would like to protect my server and domains too. can you explain what should i do for fresh install? thanks in advance
    0
  • rhenderson
    [quote="theoxgr, post: 1475831">i would like to protect my server and domains too. can you explain what should i do for fresh install? thanks in advance
    My issue is very specific, for a fresh install and to get a general start I highly recommend you read this thread
    0
  • rhenderson
    Wow, there is more to this than I realized... All of these domains have our domain set as their A records - removed spammer domains - I think they are trying to bypass the modsecurity rule that blocks them out for too many login attempts to WP login.
    0
  • quizknows
    Jokes on them then, unless your rule is domain specific they'll still get blocked. Most rules for blocking those brute forces are not specific to the domain name.
    0
  • rhenderson
    [quote="quizknows, post: 1476611">Jokes on them then, unless your rule is domain specific they'll still get blocked. Most rules for blocking those brute forces are not specific to the domain name.
    Right, I am using SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 5 login attempts in 3 minutes.'" SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136" SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137" SecRule ip:bf_counter "@gt 5" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0" Along with CSF for multiple triggers to become permanent it stops brute force attacks.
    0
  • rhenderson
    [quote="quizknows, post: 1473812">So if I understand this correctly, someone is pointing a domain name you do not own to the A record IP of a domain you do own. If that's the case: Do you have modsecurity? If so you might be able to block the bad domain name easily. The traffic should be hitting your host with the wrong SERVER_NAME header. Try this in modsec2.user.conf or another modsec includes file: SecRule SERVER_NAME "BAD_DOMAIN_NAME.COM" "deny,status:500,id:3498240455" Restart apache. This should 500 any traffic being directed to your IP's via the nefarious domain name. Add additional rules as needed for other domain names with random ID numbers.
    Hi Quizknows, Thanks for the suggestion, I was still playing around with it, I found more domains pointed to more sites, 15 domains in total. I went back to your original rule (after reading a ton of modsecurity websites and came up with... SecRule "SERVER_NAME" "domain\.net" "phase:1,deny,log,auditlog,status:404,severity:2,id:'11001101'" Added a "" around SERVER_NAME and phase:1 to the actions and it works. Again thank you for the idea, I was not going to let these guys beat me!!
    0
  • quizknows
    Glad to help, and well done. ModSecurity is an awesome tool in many situations :)
    0

Please sign in to leave a comment.