I create a tutorial and phpnuke-downloads.com steals it..?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Okay, I just did a trace and it showed that his d/l of mine is coming from his own site. That would explain why it appeared that my anti-leeching was not working.
http://www.phpnuke-downloads.com/downloads/blocks/block-ForumsCollapsing.zip

Where did you get your info that he was hot linking?

registered · Posted: Thu Feb 16, 2006 11:23 pm

I have just tried this and it does not work... still able to hotlink from his site:

RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER} !^http://(.*)montegoscripts\.com/.*$ [NC]
RewriteRule .*\.([mpg|mpeg|zip|tar|exe|avi|mov|gif|jpg|png|jpeg])$ [NC]

I found something like this in a search. Wink

The link still works from his site.

Any suggestions?

Posted: Thu Feb 16, 2006 11:24 pm

Raven, take a look at this one:

http://www.phpnuke-downloads.com/downloadview-details-661-GT[Google_Tap]_Blocks_Hack_v1.1.html

Look at the Mirror1 link... He is using these Mirror links on every download that I have seen so far.

Posted: Thu Feb 16, 2006 11:37 pm

By the way, you may also be interested in this one and again, check the Mirror link towards the bottom of the details:

http://www.phpnuke-downloads.com/downloadview-details-837-Collapsing_Recent_Forums_Block_v2.3.html#dldetails

Wink

Posted: Thu Feb 16, 2006 11:38 pm

Now I see. It's the mirror link. I think I can stop that. I'll get back to you all .....

Posted: Thu Feb 16, 2006 11:39 pm

Good, because it is way past this boy's bed time... killing me

Thx for the help... as always.

Sells PC To Pay For Divorce Joined: Posts: 5661

ha...ha..you realy think i would post it if i wasnt sure,i maild about 10 websites...some of them are realy pissed and banned him by now.

im sure you guys now how to prevent it.
use the image hotlink and add the extensions to it..

or put a temporary refer rule specialy for his website in your htaccess.

Posted: Fri Feb 17, 2006 6:32 am

hitwalker wrote:

im sure you guys now how to prevent it.
use the image hotlink and add the extensions to it..

I tried that -- see a few posts above -- and it does not work... I can still click the link and it works! Any suggestions on how to change that bit of code? I just can't see how it wouldn't work.

Posted: Fri Feb 17, 2006 6:35 am

What about this version:

# Prevent hotlinking
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g|png)$ [NC,OR]
RewriteCond %{QUERY_STRING} \.(gif|jpe?g|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9]+\.)?yourdomain\.here [NC]
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9]+\.)?google\.com [NC]
RewriteRule (.*) - [F,L]

Thing is montego that this may vary on different sites.
so even on yours i can work differently,dont ask me why cause i have no answer to that.

other solutions ive read suggest to put the htaccess file in the downloads folder instead (extra htaccess file)..
put this in your downloads folder...in htaccess file..

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
RewriteRule .*\.zip$ -[L]

And an other option is this..
Create an ASCII text file named .htaccess and save it in that directory. Note that the name starts with a fullstop (or period) and is entirely in small letters (ie, lowercase). Cut and paste the following lines into that file:

SetEnvIfNoCase Referer "^http://www.your-domain-name-here.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.your-domain-name-here.com$" locally_linked=1
SetEnvIfNoCase Referer "^http://your-domain-name-here.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://your-domain-name-here.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=locally_linked
</FilesMatch>

Note : do not correct spelling in the code snippet given above. "Referer" (with only one "r" in the middle of the word) is the word that needs to go into the .htaccess file - do not change it to "Referrer".

By thesitewizard.com

Posted: Fri Feb 17, 2006 7:31 am

ok i finished...i checked the whole downloads....he is hotlinking files of 44 websites...
that he got away with it is only because most people dont expect this anymore...

Regular Joined: Mar 14, 2005 Posts: 91

Well, I think doing something like this will stop it, but would require some editing of the downloads module.

Add a .htaccess file with "Deny From All" to the downloads folder(s).

replace the "header("Location: ....") code in the getit function with something like this

Code:




header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");


header ("Content-Type: application/octet-stream");


header ("Content-Length: " . filesize($file_path));


header ("Content-Disposition: attachment; filename=$file_name");


readfile($file_path);

Now the path won't be revealed and even if they know the path, apache will stop them from getting to any files.

Hope it helps.

Good Luck,
gotcha

Worker Joined: Dec 22, 2005 Posts: 158

Man i have a lot to learn, I thought anything under the root was inaccesible unless logged in through php-nuke. . .
Shocked

Posted: Fri Feb 17, 2006 3:01 pm

(Excluding Gotcha's) - None of these schemes will work because he isn't hot linking through nuke. At least in the case of my files, he has both a copy of them in his own downloads. Then, on the Details page he has a Mirror link. That is a direct link to the download.

Gotcha, it's interesting you would post that. In my wanderings last night to try to find a cure for this plague, I found a similar approach and was going to try it. So, I will report back, or if anyone else already has, please let us know.

Theme Guru Joined: Nov 01, 2003 Posts: 1006

please do raven. I find it outrageous that he would do this. as i posted in the other thread, that was moved, if he cannot afford to run a legitimate site, then he shouldnt run one. I think if everyone puts in place a way to stop this he will be forced to face that fact that without climbing the back of others he has nothing to offer. I find it simply unbelievable that he would do this to virtually the entire community. I see nothing wrong with the redistribution of materials like he has but stealing the bandwidth of others to do it, it simply wrong and he KNEW that before he did it. I hope that you come up with a solution we can all use Raven.

Posted: Fri Feb 17, 2006 3:29 pm

Oh, it works very nicely! I am tweaking it just a bit and will post my final 'version'. Gotcha, if you'd like a month of free advertising for this contribution, contact me by PM.

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

With white knuckles and gritted teeth we wait...

Posted: Fri Feb 17, 2006 5:17 pm

Quote:

white knuckles and gritted teeth ?

c'mon guys..this is a serious matter... killing me

Posted: Fri Feb 17, 2006 5:20 pm

My issue is that I have the downloads module on one server and the downloads on another. If you store all your on the same server, just use Gotcha's code.

Posted: Fri Feb 17, 2006 5:50 pm

Seriously, thanks to hitwalker, Gotcha, and Raven for following up on this. I was half-joking before...but really do appreciate it.

Posted: Fri Feb 17, 2006 7:11 pm

Raven wrote:

My issue is that I have the downloads module on one server and the downloads on another. If you store all your on the same server, just use Gotcha's code.

if your files are on another server, could possibly try this...
It would require allow_fopen_url to be enabled on the website server

on the file storage server, add a .htaccess like this to the directory

Code:




Order allow,deny


Allow from xxx.xxx.xxx.xxx

fill in the ip above with the website server's ip addy.

then in the downloads, instead of using readfile in the code i posted above, add this function to the module and use it in place of the readfile function.

Code:







// credits go to the original author(s) found here


// http://us3.php.net/manual/en/function.readfile.php#54295





function readfile_chunked($filename,$retbytes=true) {


   $chunksize = 1*(1024*1024); // how many bytes per chunk


   $buffer = '';


   $cnt =0;


   // $handle = fopen($filename, 'rb');


   $handle = fopen($filename, 'rb');


   if ($handle === false) {


       return false;


   }


   while (!feof($handle)) {


       $buffer = fread($handle, $chunksize);


       echo $buffer;


       ob_flush();


       flush();


       if ($retbytes) {


           $cnt += strlen($buffer);


       }


   }


       $status = fclose($handle);


   if ($retbytes && $status) {


       return $cnt; // return num. bytes delivered like readfile() does.


   }


   return $status;





}

so you end up with something like

Code:







// these variables will be set by the getit() function


// in one way or another





$file_path = "http://filestorage.com/folder/file.zip";


$file_name = "file.zip";





header ("Cache-Control: must-revalidate, post-check=0, pre-check=0");


header ("Content-Type: application/octet-stream");


header ("Content-Length: " . filesize($file_path));


header ("Content-Disposition: attachment; filename=$file_name");


readfile_chunked($file_path);

this code is untested as it is, but i have used something very close with good results.

Posted: Fri Feb 17, 2006 10:43 pm

gotcha, the d/l code works fine, but the .htaccess is still denying everyone.

Posted: Sat Feb 18, 2006 12:47 am

Actually, it does Forbid the hot linking, but it's giving a file-not-found error now. I don't think we really have to touch the download code. The reason I say this is that I restored the download file code and have just been playing with .htaccess. If I use the Order allow,deny approach, it does forbid/ban correctly from an outside link. On my internal links it's now giving a file not found, so it does mean .htaccess is allowing the request through Smile

as it should. I need to find out how/why the file-not-found error is happening. And it's not a 404, it's the file-not-found error code from getit(). We're close, I think.

Posted: Sat Feb 18, 2006 5:37 am

Anyone knows where my other topic went?
Seems to me that im the one who actualy brought this out in the open but left out in the dark....
i maild sting where the topic went but didnt get a reply...
I even thought of doing codezwiz a favor by posting this on his forum,as he now only sells stuff...not even a thank you....,only a few not important people replied...
that rises the question.....why am i doing this?
People completely forgot how to say thank you....

Posted: Sat Feb 18, 2006 8:21 am

kguske wrote:

Seriously, thanks to hitwalker, Gotcha, and Raven for following up on this. I was half-joking before...but really do appreciate it.

Hmmm - sure looks and sounds like a thank you to me?

The thread is now 3 pages long and is not done yet. Actions speak louder than words. If we weren't thankful for you bringing this to our attention we wouldn't be spending so much time on it Wink

The other thread was moved to a private area by one of my Admins because of a concern over some excellent code that had been posted by DJ, but if in the wrong hands would be dangerous. In addiition, I have been down sick for 2 days and he asked me to review it and see if I wanted to move it back or not.

hitwalker wrote:

only a few not important people replied...

I would imagine that you put more nails in your coffin by calling those who replied "not important". I bet they feel really glad now that they even bothered to reply.

<sigh>

Posted: Sat Feb 18, 2006 8:27 am

as far as he told me Sting moved the other topic to the admin only area of the board. I dont know who can really see it there besides Raven.
I hope that this issue gets resolved soon for everyone. I appreciate the fact that hitwalker pointed this out and made it public. More people should do the same.

Quote:

only a few not important people replied...

was this a mistype? Crying or Very sad

edited to correct my misquoting Embarassed