Illegal access to web directory via another domain


#1

Has anyone experienced other users accessing your website using another domain (that does not belong to you)?

I’ve experience this a few times. Previously from domains that are not hosting by dreamhost, and recently from a domain that is also hosted by dreamhost (but belonging to another customer).

And I don’t think there is any redirects going on. From the referrer info, it is quite obvious that the link is supposed to point to some content. All I have is a index.html page with a “logo” on it.

I can even upload a file to my www directory and access the file using the other domain!

Appreciate if anyone out there can share their experience…


#2

This doesn’t really make any sense. Describe exactly what’s going on in detail, with URLs, if possible.


If you want useful replies, ask smart questions.


#3

My URL is http://www.mylittleweb.net/

The URL that is linking to my web directory is

http://robocode.diverman.com/

but this URL does not belong to me. (currently it is giving a “bad_httpd_conf error”)

and I know about this because I have a script that emails me when there is a 404 error. These are captured in the access logs too…

Sample logs below

221.0.170.111 - - [02/Oct/2005:18:19:40 -0700] “GET / HTTP/1.1” 200 556 “http://www.ecs.soton.ac.uk/~awo101/robocode.html” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; zh-cn) Opera 8.50"
221.0.170.111 - - [02/Oct/2005:18:19:42 -0700] “GET /style.css HTTP/1.1” 200 128416 “http://robocode.diverman.com/” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; zh-cn) Opera 8.50"
221.0.170.111 - - [02/Oct/2005:18:19:42 -0700] “GET /logo-trans.png HTTP/1.1” 200 7441 “http://robocode.diverman.com/” "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; zh-cn) Opera 8.50"
221.0.170.111 - - [02/Oct/2005:18:19:44 -0700] “GET /favicon.ico HTTP/1.1” 200 128411 “http://robocode.diverman.com/” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; zh-cn) Opera 8.50”


#4

this isn’t anything illegal or bad. Just someone visiting your site. The person who is visiting yoou is running A microsoft Windows xp server OS, and is loading up your page. robocode.diverman is probably just the domain that her server is controling.

The log that you poseted just shoes that he sucesfully loaded your main page, your logo, your css style, and your fav ivon.

Don’t worry about it. they’re caleld website visitors.

-Matttail


#5

Actually, that’s pretty far off the mark. I’m not sure where you got the notion that the visitor was using a Windows server for web browsing, but nothing here actually indicates that (nor would that type of information appear in web access logs in the first place).

The URL in these logs, http://robocode.diverman.com/, is the referrer. If a link to your site appears on another site, this other URL will appear as referrer when someone follows the link to your site. This is easy to fake, but it’s probably not very common.

One thing you were correct about is that this is nothing to worry about. I’d go one further and suggest that having 404 errors mailed to you is bound to be far more annoying than useful.


If you want useful replies, ask smart questions.


#6

That’s the little part that say it’s win NT 5.1 that’s windows XP server. :slight_smile: It also shows they were using Opera 8.5, a MSIE based browser

-Matttail


#7

Actually Windows XP is based on Windows NT 5.1

There is no “Windows XP Server”

There was “Windows 2000 Server” and currently “Windows 2003 Server” (based on Windows NT 5.2)

See Windows NT - From Wikipedia, the free encyclopedia.

In addition, OP is correct to say that the Apache configuration appears to be wrong:

[code]Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Atropos>nslookup www.mylittleweb.net
Server: ns1.mindspring.com
Address: 207.69.188.185

Non-authoritative answer:
Name: www.mylittleweb.net
Address: 205.196.208.137

C:\Atropos>nslookup robocode.diverman.com
Server: ns1.mindspring.com
Address: 207.69.188.185

Non-authoritative answer:
Name: www.beardeddragon.org
Address: 205.196.208.137
Aliases: robocode.diverman.com[/code]
robocode.diverman.com resolves to the same IP as www.mylittleweb.net

That IP resolves to basic-noxim.ellipsis.dreamhost.com

Also you’ll notice in the source to http://robocode.diverman.com/, there are no absolute URLs used - so how can it be a referrer in the Apache log unless Apache is writing to the wrong log file? I seriously doubt anyone would trouble themselves with faking referrers for mylittleweb.net

:cool: Perl / MySQL / HTML CSS


#8

That’s the little part that say it’s win NT 5.1 that’s windows XP server.

You’ve already been corrected on this one. Windows 5.1 is your everyday, run-of-the-mill Windows XP.

It also shows they were using Opera 8.5, a MSIE based browser

Opera is not, nor has it ever been, based on IE. It’s an entirely unrelated browser with its own rendering engine.

So you’re 0-2. Where do you get this stuff?


If you want useful replies, ask smart questions.


#9

I wouldn’t worry if http://robocode.diverman.com/ belongs to me and I am pointing it to the same directory as http://www.mylittleweb.net/

However, it does not belong to me and it is highly unlikely that the domain owner is doing a redirect because
a) It seems like some content is expected based on the referrer links
b) The redirect works for newly uploaded files too when I tested. (I may be wrong but I think this can only be achieved using mod_rewrite, and this should not show on my logs if using mod_rewrite to access my directory?)

So, you guys still think there is no cause for concern here?


#10

Excuse me for the horrors of mis-information that I gave. Infact, please excuse me for speaking at all. Looks like I had a little brain blip between NT5.1 and NT5.2, and NT4.0, NT5, XP, ME, 98, 98SE2, 95, 3.x - What ever. Your also quite right, it’s not MSIE based, that was a pure typo in the deep dark of the night of my horrible transgressions.

Where does the information come from? It’ comes from my head, which apparently got a little befuddled. I figure I’ve been on-line for about 11 years now, and over that time I’ve learned one or maby two things.

Again, excuse me for speaking.

-Matttail


#11

[quote]So, you guys still think there is no cause for concern here?

[/quote]

I think there’s cause for concern. We already know that a user on one server can read the web files of another user on the same server, so I guess it is only a small step to being able to serve them. But somehow I think the explanation is likely to be a DH config mess-up that has cross-linked two users, rather tlike I got incoming mail bounced recently due to another user’s quota being applied to my account.