Server Log Entry Question

design

#1

I have a website where I offer templates for sale and as often happens, people try to steal them. I watch my server access logs daily to look at the activities of IP’s but I had a lot of entries today that make me suspicious and was hoping someone can help explain it.

Here is the entry:

http://localhost:52579/KenticoCMS7/home.aspx

What does this localhost entry indicate? It appears to me that this entry has downloaded my template and is viewing from his own computer using Kentico CMS 7. Can someone educate me as to what this entry means? By the way, the person who’s IP I have logged from his initial visit to my website has racked up about 1.5 hours worth of entries thus far from this localhost entry.

Thanks…


#2

I’d be inclined to immediately block them via a .htaccess rule: Deny from x.x.x.x


#3

I did block the IP to be on the safe side and redirected them to my banned page where a message is posted for them. I just wanted to learn more about this server log entry to see what it really means just so I don’t make a mistake banning someone.

By the way, the server log entry for this entry was under the User Agent heading.


#4

Yup, “localhost” means their (local) machine.

To stop others from doing the same in the future, you may wish to try:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} localhost
RewriteRule !^banned\.html$ - [F]

#5

While that is good idea, if I did that, then I wouldn’t know who was trying to steal my templates. Seeing this data in my log files alerts me to the IP and then I can start to track him.

Having said that, what code could I use to stop proxy servers? I got this code from perishablepress.com but I don’t know if it works. I have another person who has been visiting my website using those proxy services that mask their IP and banning those IPs is the normal action. However, if I could block the way these proxy services operate would be better than just banning individual IPs.

RewriteEngine on
RewriteCond %{HTTP:VIA}                 !^$ [OR]
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
RewriteRule ^(.*)$ - [F]

#6

You don’t want to stop proxies. A HUGE number of users connect via some type of proxy (including me.)


#7

As Mr. Mackey of South Park would say, “That’s bad!”.

Any idea then on how to deal with websites like Anonymouse.org and similar websites?


#8

Consider making images of your templates for the general public, then branding (water marking) them. Keep them all in a directory than stops hot-linking. Then for paying customers, give them access to another password protected directory where they can download the purchased product.

Just an idea. I don’t know the details.
[hr]
As far as blocking proxy services, that’s a different matter. To be efficient, I’d recommend doing it on a case by case basis. For example, Anonymouse.org uses 193.200.150.0 - 193.200.150.255 so you could block them like this:

Order deny,allow
SetEnvIf Request_URI ^/(banned\.html|robots\.txt)$ allowall
deny from 193.200.150.0/24
allow from env=allowall

Or if they carry an identifying term in their User Agent string, you could block like this:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} anony
RewriteRule !^banned\.html$ - [F]

You could add other bad agents/addresses as they reveal themselves. But blocking all proxies is a bad idea IMO.


#9

What I do is offer full working preview of my templates and do so because it increases my ability to sell my services and templates. I sell the templates combined with my services to a specific industry and allowing full preview gives potential customers the opportunity to “test drive” it before they buy it. If I just used screenshot images, my sales would drop quite a bit.

To protect the templates from the less knowledgeable, I encrypt them using some commercial software and this prevents most people from trying to steal them once they see the encrypted source code. The more code knowledgeable people have a better changes of decrypting it, but I also add some hidden code that links back to my website. This hidden code works well when the thief uploads the website to their server and makes it easy to start a DMCA Takedown Request or flip the thief into buying it.

It’s a delicate balance between offering visitors a preview of my templates and keeping the thief’s at bay.
[hr]
I like the idea of blocking the useragent string. Here are two recent useragent strings that I noticed:

http://anonymouse.org/cgi-bin/anon-www.cgi/http://xxxxx.com

http://3.hidemyass.com/ip-2/encoded/Oi8vd3d3LmNhcm9saW5hZGV0YWlsaW5nLmNvbS8%3D

I think hidemyass uses several number prefixes.


#10
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (anony|hidemya)
RewriteRule !^banned\.html$ - [F]

No need to use the entire UA you wish to block. Basically you just need to assess if the terms you block would naturally occur in a legit browser or beneficial robot’s UA. Having any type of blocking mechanism in place means continued diligence watching your logs and monitoring who is being blocked. Real easy to block good guys if you’re not careful.


#11

I just checked hidemyass.com and it didn’t work.


#12

Well you said that was the User Agent:

If that was actually the referrer (and not the UA) then you can block them like this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} (anony|hidemya)
RewriteRule !^banned\.html$ - [F]

#13

UserAgent for Anonymous and Hidemyass are correct as I gave them and the Referrer shows my domain name.


#14

To satisfy my curiosity, I just tested Hidemyass blocking first for “hidemya” in User Agent, then in Referrer. Neither successfully block it, so the “hidemya” cannot be present in either or the block would work.

My guess would be they send another request (in addition to the one you saw) via a different UA to get the page. Check IP addresses about the same time frame to see if this is true.


#15

The only thing that stood out is that the person used hidemyass and anonymous with 45 seconds of each other and both had the same IP address. I will send you the log info if you like but I need to figure out why I can’t use PM here. Sent admin an email as why it is not enabled and if it gets fixed, I’ll send it to you.


#16

We used to have private messages enabled, but we had some pretty bad experiences with spammers sending out tons of PMs, so we had to disable it. Spammers ruin everything. :frowning:

If you want to receive messages from other users, turn off the “hide your email from other members” option on the page linked below, and the “Email” button will show up below your posts, allowing other users to send you emails.

https://discussion.dreamhost.com/usercp.php?action=options


As far as the real question goes here, though, I’m afraid I’m going to have to second the suggestion that you don’t put the whole things online. Encrypting your source code doesn’t make a difference here, since what really matters in a template is the markup, which has to be delivered to a browser for the page to work at all. If your templates consist of multiple pages, you might want to consider giving a “live” preview of one of those pages, and screenshots of the other ones. If there’s only a single layout, though, a screenshot (or a set of them, if there’s multiple things to show) is probably going to be the way to go.

If that isn’t an option, enabling hotlink protection on your images will at least prevent people from linking to your template resources directly. It won’t prevent them from downloading and reusing them, though.

Enabling Google Page Speed may actually help a bit, as it rewrites HTML and CSS in a way that may make them more difficult to reuse. (Make sure to tell people that the code in the real product won’t be as ugly as in the preview, though!)


#17

Thanks for the info Andrew on PM messaging and the lack thereof…

I’ve thought long and hard for many years about how I offer previews but in the end, I have to default to the larger group of visitors who do not try to steal the website templates and keep the preview as it is. With the way things are setup, reviewing server logs daily and the hidden code I’ve inserted that links back to my website for a hit on my server logs, I have a pretty good idea of when and who is trying to steal. As they say, if you want to catch like a criminal, think like one. I’ve done that as best I can and understand that they will look at the obvious in changing code but will overlook other things that I have put great thought into. For instance, while my sample content is Lorem Ipsum dummy content, I always write a very professional intro text above my contact form and what happens is that the thief will like the text and leave it. Now all I have to do is occasionally enter the text into Google and see which websites have used my text word for word. Pretty simply thing that most thief’s will not think about.

My other tact that I’ve already got help and and answer for was blocking and redirecting the identified IP addresses. Last month I took two websites down with DMCA Takedown notices and once in a while, I can flip the person who tried to steal the website into buying it. All in all, I guess I can’t complain…


#18

This is a pretty good tool for that: http://www.copyscape.com/


#19

Copyscape from what I can tell is an okay tool, but in the end, they probably use Google in some fashion to deliver the results. Just a guess on my part…