How to stop Fusker

ponyman · 2005-08-16, 11:22 PM

I have read a lot of the old threads about fusker, but I still could not get a straight answer to my question.

I'm seeing A LOT of fusker hotlinking in my stats. I'd like to put something in my .htaccess that will give them an image of my choice instead of the actual images they are trying to hotlink. Is this possible?

If not, what is a good .htaccess code to just not allow fusker to hotlink my pics?

cd34 · 2005-08-17, 01:15 AM

hit FAQ up above.

or

The current thought on preventing sites like Fusker/UsefulIdiots/etc from hotlinking your graphics is the following set of rules in your .htaccess file.

If you want to disallow the empty referrer, you can remove the first line of the rule with the !^$ in it.

RewriteEngine on
# leave this line in allow empty referrers, remove to disallow empty referrers
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*@)?([a-z0-9-]+\.)*yourdomain\.com(:[0-9]+)?(/.*)?$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*@)?1\.2\.3\.4(:[0-9]+)?(/.*)?$
RewriteRule .*\.(asf|mpg|mpeg|wmv|avi|rm|gif|jpeg|jpg|zip)$ - [NC,F,L]

Halfdeck · 2005-08-17, 02:05 AM

Another thing you might try is to avoid using sequential numbers when naming your pics or directories.

Chop Smith · 2005-08-17, 02:07 AM

When did that cool feature get added to FAQ? Could turn into a great feature for GG&J folks.

juggernaut · 2005-08-17, 08:19 AM

Thanks helped me too. Took me a little while to figure it out but finnaly got it working. thanks

eskimoen · 2005-08-17, 11:38 AM

You can also use http://www.htaccesstools.com/hotlink-protection/ to create a .htaccess that disables hotlinking.

wankmaster · 2005-08-17, 02:55 PM

I just emailed them and asked them to stop. They emailed back and said "OK".
Then they stopped.

Don't know if this simple method still works tho.

ponyman · 2005-08-17, 05:35 PM

I found a page on their site that allows you to send them mail, supposedly to remove your sites from fusker. I don't know if it will work, or maybe just cause more fuskering?

Thanks CD34, that's just what I needed!

pornoTGB · 2005-08-17, 08:48 PM

I think the best way of protecting your files is by creating them dynamicly. Yes.. this does drive up the server-load but files are safe! No direct downloads, hotlinks..
Just put lets say your images into a htaccess-protected folder.
Make a new php-file in your root that you protect by handing over correct varaibles with the header of the desired file type.

for instance for a jpg you would want:

PHP Code:


			
header('Last-Modified: '.gmdate('D, d M Y H:i:s', $timestamp).' GMT');  header("Content-type: image/jpeg");    $im = imagecreatefromjpeg("YOURIMAGE");    imagejpeg($im, '', 100);  imagedestroy($im);

in that file.. watch out that there is no text in the output! .. for a gif just exchange the content-type header to image/gif
Doing this with animated gifs is a bit more work..
a lot of help are the post on php.net when searching for a function.

cd34 · 2005-08-17, 09:39 PM

How exactly does that script stop hotlinking?

pornoTGB · 2005-08-17, 10:42 PM

by handing over variables... lets say the IP and or timestamp..
now make the file you have the header in check if the info is correct.. tada..

check out http://joskeonline.com/~keepmyfi/
the real site (http://www.keepmyfile.com) only accepts small files for now since it just moved to a new server.. still have to set upload size in php.ini .. thats on my to-do-list for tomorrow
try hotlinking an uploaded image of yours (the real ones.. thumbs are intended for hotlinking)

wankmaster · 2005-08-18, 12:49 AM

I'm not sure that .htaccess can stop hotlinking.

Can someone post an url of a page that has the thumbs or images .htaccess protected and I'll see if I can get around it?

Jel · 2005-08-18, 03:54 AM

I use htaccess, feel free to see if mine works. Here's a page:

http://www.cfnmparty.co.uk/teen_orgy..._on_stage.html

wankmaster · 2005-08-18, 04:13 AM

Thanks, I'll give it a shot.

wankmaster · 2005-08-18, 04:25 AM

OK, there you go

http://www.sneakyskunk.com/hotlinker.htm

Jel · 2005-08-18, 04:38 AM

Well that's sneaky

OK, that's not normally how an image or list of them would be hotlinked, gimme 2 minutes.........

Jel · 2005-08-18, 04:49 AM

Nope, I'm flummoxed. So how do I prevent that then wankmaster?

wankmaster · 2005-08-18, 05:04 AM

Something like this thread appears on most of the webmaster boards about once week.

Lots of .htaccess solutions get posted, and everyone seems happy that they fixed the problem, which says to me it's not much of a problem.

.htaccess will deter the average surfer who posts your image links on surfer boards, and for that reason .htaccess is usually good enough, but the way the http protocol works it can be gotten around, and I don't think there is a .htaccess solution to the problem.

Someone may prove me wrong on this, in which case, good!

In any case the bigger problem is in protecting video files, as WindowsMediaPlayer sends a blank referrer ( I don't know if they changed this in the last few months, but at least when I looked at it that seemed the case ).

As I say I don't think it is a big problem, people just get hot under the collar because they got Fuskered. When it happened to me I just asked them to stop it and they did, which seems the easiest solution to me.

There are ways to stop hotlinking without .htaccess. There are packages on the market ( I don't know if they really work ), or your host will do it ( but they may charge a monthly fee ).

There are some scripting methods that will prevent hotlinking if it REALLY is an issue, but best not post these on a board.

.htaccess is "good enough".

pornoTGB · 2005-08-18, 06:11 AM

I might not have explained this right!
Put all you files that you want to protect in a password-protected folder.. so really no-one can access it. Now they are safe.. right?

Now make a script that can you can hand over like following variables:
filename or some kind of id for the file
dynamic variables like a timestamp and/or IP (so that the "link" to the file changes for each user)

here is a link to a page showing a picture: http://www.keepmyfile.com/imagelink.php?dl=2
try hotlinking it or downloading it (by direct-request) without any effords to add php code.. please keep in mind that I give access for 1 day.. so just ask someone else to check the source you get

for instance the link-source will look like this for me:
http://www.keepmyfile.com/pic.gif.ph...4336banner.gif
i have only taken out my IP

The security check for this site is not completed yet.. since just checking date and IP is inadequate... but you could perhaps md5-encode some kind of passphrase you make up with influence of dynamic factors and hand that value over..

try hotlinking to a file you uploaded on keepmyfile.com!

wankmaster · 2005-08-18, 07:06 AM

Quote:

Originally Posted by pornoTGB

I might not have explained this right!

Seemed a clear enough explination to me.

Maybe I didn't explain myself clearly enough?

You have a scripting solution, and that will work.

A pure .htaccess solution will not.

wankmaster · 2005-08-18, 07:27 AM

P.S.

I don't think md5 encyption is your best bet because won't you have to unencrypt the string at the other end? md5 is a one-way hash.

Better use RSA.

pornoTGB · 2005-08-18, 08:14 AM

@wankmaster.. yes.. pure .htaccess will not work..

thats the beautiful thing about md5.. its one way ;-)
so just do the same thing at the other end..
encrypt lets say timestamp combined with IP (or even data you save to your database) to md5
on the other end also get the time and IP and hash that.. if its the same data then hash will be the same --> aproved to download

I just posted this since there is no way to protect your files other than by script or some other server sided technike and wanted to give people an idea of how to realise a script-protection for your files

The only reason why I need my files protected so hard is that I have a file-hosting service and I want to show an add above the file to download / picture to view..

wankmaster · 2005-08-18, 08:19 AM

OK, but wont the timestamp differ between when you get it the first time, and the second time?

Another problem could be dynamic ip addresses, but I don't know if that will effect what you're trying to do or not.

pornoTGB · 2005-08-18, 08:49 AM

yes.. when hashing the timestamp it will be a problem.. (encrypting with RSA would be a good idea for that)
what I do is that I have set a time-offset (right now a day) that gets accepted.. just check if the timestamp is inbetween a certain time-span

when leaving the seconds away from the timestamp it should not be a problem since one page loads the dynamic pic right away when being loaded --> so no delay (or very little)

dynamic IPs are not a problem.. since the IP will always be the same when online.. it does not jump around during one online session..

dynamic proxies could be a problem --> IP does change
but I have not read up on that yet

wankmaster · 2005-08-18, 08:55 AM

OK, but I still don't know how you can check if the timestamp is within a time-offset if you can't unencrypt the original timestamp to check it?

Anyway you seem to have a good idea of what you want to achieve.

Good luck with your project.

2005-08-16, 11:22 PM	#1
ponyman Nobody gets into heaven without a glowstick Join Date: Jun 2004 Location: The Great Northwest Posts: 422	How to stop Fusker I have read a lot of the old threads about fusker, but I still could not get a straight answer to my question. I'm seeing A LOT of fusker hotlinking in my stats. I'd like to put something in my .htaccess that will give them an image of my choice instead of the actual images they are trying to hotlink. Is this possible? If not, what is a good .htaccess code to just not allow fusker to hotlink my pics? __________________ Dirty Old Men Sponsors - gay & straight

2005-08-17, 01:15 AM	#2
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	hit FAQ up above. or The current thought on preventing sites like Fusker/UsefulIdiots/etc from hotlinking your graphics is the following set of rules in your .htaccess file. If you want to disallow the empty referrer, you can remove the first line of the rule with the !^$ in it. RewriteEngine on # leave this line in allow empty referrers, remove to disallow empty referrers RewriteCond %{HTTP_REFERER} !^$ [NC] RewriteCond %{HTTP_REFERER} !^http://(.@)?([a-z0-9-]+\.)yourdomain\.com(:[0-9]+)?(/.)?$ [NC] RewriteCond %{HTTP_REFERER} !^http://(.@)?1\.2\.3\.4(:[0-9]+)?(/.)?$ RewriteRule .\.(asf\|mpg\|mpeg\|wmv\|avi\|rm\|gif\|jpeg\|jpg\|zip)$ - [NC,F,L] __________________ SnapReplay.com a different way to share photos - iPhone & Android

2005-08-17, 02:05 AM	#3
Halfdeck You can now put whatever you want in this space :) Join Date: Oct 2004 Location: New Haven, CT Posts: 985	Another thing you might try is to avoid using sequential numbers when naming your pics or directories. __________________ Success is going from failure to failure without a loss of enthusiasm.

2005-08-17, 02:07 AM	#4
Chop Smith Eighteen 'til I Die Join Date: Apr 2003 Location: Mississippi Posts: 2,168	When did that cool feature get added to FAQ? Could turn into a great feature for GG&J folks. __________________

2005-08-17, 05:35 PM	#8
ponyman Nobody gets into heaven without a glowstick Join Date: Jun 2004 Location: The Great Northwest Posts: 422	I found a page on their site that allows you to send them mail, supposedly to remove your sites from fusker. I don't know if it will work, or maybe just cause more fuskering? Thanks CD34, that's just what I needed! __________________ Dirty Old Men Sponsors - gay & straight

2005-08-17, 08:19 AM	#5
juggernaut Registered User Join Date: Apr 2005 Location: Central Jersey! If I was rich and powerful I would dress as my avatar does. Posts: 1,448	Thanks helped me too. Took me a little while to figure it out but finnaly got it working. thanks

2005-08-17, 11:38 AM	#6
eskimoen Rock stars ... is there anything they don't know? Join Date: Aug 2004 Posts: 10	You can also use http://www.htaccesstools.com/hotlink-protection/ to create a .htaccess that disables hotlinking.

2005-08-17, 02:55 PM	#7
wankmaster Just because I don't care doesn't mean I don't understand! Join Date: May 2005 Posts: 96	I just emailed them and asked them to stop. They emailed back and said "OK". Then they stopped. Don't know if this simple method still works tho.

2005-08-17, 08:48 PM	#9
pornoTGB Shut up brain, or I'll stab you with a Q-tip! Join Date: Jun 2005 Location: Austria Posts: 118	I think the best way of protecting your files is by creating them dynamicly. Yes.. this does drive up the server-load but files are safe! No direct downloads, hotlinks.. Just put lets say your images into a htaccess-protected folder. Make a new php-file in your root that you protect by handing over correct varaibles with the header of the desired file type. for instance for a jpg you would want: PHP Code: `header('Last-Modified: '.gmdate('D, d M Y H:i:s', $timestamp).' GMT'); header("Content-type: image/jpeg"); $im = imagecreatefromjpeg("YOURIMAGE"); imagejpeg($im, '', 100); imagedestroy($im);` in that file.. watch out that there is no text in the output! .. for a gif just exchange the content-type header to image/gif Doing this with animated gifs is a bit more work.. a lot of help are the post on php.net when searching for a function. __________________ Please Re-Read The Rules For Sig Files

2005-08-17, 09:39 PM	#10
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	How exactly does that script stop hotlinking? __________________ SnapReplay.com a different way to share photos - iPhone & Android

2005-08-17, 10:42 PM	#11
pornoTGB Shut up brain, or I'll stab you with a Q-tip! Join Date: Jun 2005 Location: Austria Posts: 118	by handing over variables... lets say the IP and or timestamp.. now make the file you have the header in check if the info is correct.. tada.. check out http://joskeonline.com/~keepmyfi/ the real site (http://www.keepmyfile.com) only accepts small files for now since it just moved to a new server.. still have to set upload size in php.ini .. thats on my to-do-list for tomorrow try hotlinking an uploaded image of yours (the real ones.. thumbs are intended for hotlinking) __________________ Please Re-Read The Rules For Sig Files

2005-08-18, 12:49 AM	#12
wankmaster Just because I don't care doesn't mean I don't understand! Join Date: May 2005 Posts: 96	I'm not sure that .htaccess can stop hotlinking. Can someone post an url of a page that has the thumbs or images .htaccess protected and I'll see if I can get around it?

2005-08-18, 03:54 AM	#13
Jel I'm the only guy in the world who has to wake up to have a nightmare Join Date: Feb 2004 Location: London, United Kingdom Posts: 1,895	I use htaccess, feel free to see if mine works. Here's a page: http://www.cfnmparty.co.uk/teen_orgy..._on_stage.html

2005-08-18, 04:13 AM	#14
wankmaster Just because I don't care doesn't mean I don't understand! Join Date: May 2005 Posts: 96	Thanks, I'll give it a shot.

2005-08-18, 04:25 AM	#15
wankmaster Just because I don't care doesn't mean I don't understand! Join Date: May 2005 Posts: 96	OK, there you go http://www.sneakyskunk.com/hotlinker.htm

2005-08-18, 04:38 AM	#16
Jel I'm the only guy in the world who has to wake up to have a nightmare Join Date: Feb 2004 Location: London, United Kingdom Posts: 1,895	Well that's sneaky OK, that's not normally how an image or list of them would be hotlinked, gimme 2 minutes.........

2005-08-18, 04:49 AM	#17
Jel I'm the only guy in the world who has to wake up to have a nightmare Join Date: Feb 2004 Location: London, United Kingdom Posts: 1,895	Nope, I'm flummoxed. So how do I prevent that then wankmaster?

2005-08-18, 05:04 AM	#18
wankmaster Just because I don't care doesn't mean I don't understand! Join Date: May 2005 Posts: 96	Something like this thread appears on most of the webmaster boards about once week. Lots of .htaccess solutions get posted, and everyone seems happy that they fixed the problem, which says to me it's not much of a problem. .htaccess will deter the average surfer who posts your image links on surfer boards, and for that reason .htaccess is usually good enough, but the way the http protocol works it can be gotten around, and I don't think there is a .htaccess solution to the problem. Someone may prove me wrong on this, in which case, good! In any case the bigger problem is in protecting video files, as WindowsMediaPlayer sends a blank referrer ( I don't know if they changed this in the last few months, but at least when I looked at it that seemed the case ). As I say I don't think it is a big problem, people just get hot under the collar because they got Fuskered. When it happened to me I just asked them to stop it and they did, which seems the easiest solution to me. There are ways to stop hotlinking without .htaccess. There are packages on the market ( I don't know if they really work ), or your host will do it ( but they may charge a monthly fee ). There are some scripting methods that will prevent hotlinking if it REALLY is an issue, but best not post these on a board. .htaccess is "good enough".

2005-08-18, 06:11 AM	#19
pornoTGB Shut up brain, or I'll stab you with a Q-tip! Join Date: Jun 2005 Location: Austria Posts: 118	I might not have explained this right! Put all you files that you want to protect in a password-protected folder.. so really no-one can access it. Now they are safe.. right? Now make a script that can you can hand over like following variables: filename or some kind of id for the file dynamic variables like a timestamp and/or IP (so that the "link" to the file changes for each user) here is a link to a page showing a picture: http://www.keepmyfile.com/imagelink.php?dl=2 try hotlinking it or downloading it (by direct-request) without any effords to add php code.. please keep in mind that I give access for 1 day.. so just ask someone else to check the source you get for instance the link-source will look like this for me: http://www.keepmyfile.com/pic.gif.ph...4336banner.gif i have only taken out my IP The security check for this site is not completed yet.. since just checking date and IP is inadequate... but you could perhaps md5-encode some kind of passphrase you make up with influence of dynamic factors and hand that value over.. try hotlinking to a file you uploaded on keepmyfile.com! __________________ Please Re-Read The Rules For Sig Files

2005-08-18, 07:27 AM	#21
wankmaster Just because I don't care doesn't mean I don't understand! Join Date: May 2005 Posts: 96	P.S. I don't think md5 encyption is your best bet because won't you have to unencrypt the string at the other end? md5 is a one-way hash. Better use RSA.

2005-08-18, 08:14 AM	#22
pornoTGB Shut up brain, or I'll stab you with a Q-tip! Join Date: Jun 2005 Location: Austria Posts: 118	@wankmaster.. yes.. pure .htaccess will not work.. thats the beautiful thing about md5.. its one way ;-) so just do the same thing at the other end.. encrypt lets say timestamp combined with IP (or even data you save to your database) to md5 on the other end also get the time and IP and hash that.. if its the same data then hash will be the same --> aproved to download I just posted this since there is no way to protect your files other than by script or some other server sided technike and wanted to give people an idea of how to realise a script-protection for your files The only reason why I need my files protected so hard is that I have a file-hosting service and I want to show an add above the file to download / picture to view.. __________________ Please Re-Read The Rules For Sig Files

2005-08-18, 08:19 AM	#23
wankmaster Just because I don't care doesn't mean I don't understand! Join Date: May 2005 Posts: 96	OK, but wont the timestamp differ between when you get it the first time, and the second time? Another problem could be dynamic ip addresses, but I don't know if that will effect what you're trying to do or not.

2005-08-18, 08:49 AM	#24
pornoTGB Shut up brain, or I'll stab you with a Q-tip! Join Date: Jun 2005 Location: Austria Posts: 118	yes.. when hashing the timestamp it will be a problem.. (encrypting with RSA would be a good idea for that) what I do is that I have set a time-offset (right now a day) that gets accepted.. just check if the timestamp is inbetween a certain time-span when leaving the seconds away from the timestamp it should not be a problem since one page loads the dynamic pic right away when being loaded --> so no delay (or very little) dynamic IPs are not a problem.. since the IP will always be the same when online.. it does not jump around during one online session.. dynamic proxies could be a problem --> IP does change but I have not read up on that yet __________________ Please Re-Read The Rules For Sig Files

2005-08-18, 08:55 AM	#25
wankmaster Just because I don't care doesn't mean I don't understand! Join Date: May 2005 Posts: 96	OK, but I still don't know how you can check if the timestamp is within a time-offset if you can't unencrypt the original timestamp to check it? Anyway you seem to have a good idea of what you want to achieve. Good luck with your project.