Hotlinking Via Java

[nate]

A website operator of little integrity is hotlinking my pics with java and an IFrame. So far I'm only able to block him by sending a proxy image with my website address (formed to hit a custom 404 page) to everyone with no referrer which is suboptimal to say the least. How do you guys deal with this shit?

Are there any java or browser vulnerabilities that would allow me to inject some additional java via an image to redirect the surfer any time said image is called via javascript? That would really fuck up his thieving scheme. I don't call any of my images via goddamn javascript, and I don't think anyone else should either.

here's his website BTW, he's hotlinking from a lot of people, maybe even you.

http://eroman.ru

[ecchi]

Are you talking about Java or Javascript. You appear to be using both words to mean the same thing but they are as different as, erm, as two totally different things.

[cd34]

They use javascript to create an iframe to load the image remotely. As a result, there is no referrer, and, most anti-hotlinking rules allow the empty referrer. It's not like you couldn't do it with an iframe and meta-refresh or a dozen other ways.

Blocking the non-referral hits could impact real viewers running certain privacy software, but, its a difficult thing to police.

I don't know that there is a better solution without considerable work. The one solution that used to protect against these types of things disappeared years ago, though, it wasn't a simple solution.

[nate]

Its javascript, sorry for the error, although I thought referring to javascript as java was OK. They both require the same runtime, don't they? I keep it turned off with "noscript" in firefox and try not to use any java anything on my websites because it taxes the client computer more than I want to, so I'm a little ignorant about it. I use it sparingly at best, and then only if its intergrated with something I install.

And I localized the .htaccess to the directory he is hitting. I'm not trying to exclude people that legitimately don't send referrers because they are paranoid and use a proxy or whatever, but I fucking hate a thief.

Here is the code he is using. I hope it escapes (// ) OK and doesnt fuck up my post.

// <!--
// var D=document
// var IframeName=Math.round(Math.random()*1000000)
// var baseHeader='http://www.mydomain.com'
// var basePath='/path to my images/'
// var galUrls=new Array("list of my image's names")
// var curNum=0
// var tmp
// function loadPhoto(num) {
// if (num) {
// tmp=D.RECLAMA1 ||
// D.getElementById('RECLAMA1').contentWindow
// tmp.history.go(0)
// tmp=D.RECLAMA2 ||
// D.getElementById('RECLAMA2').contentWindow
// tmp.history.go(0)
// }
// curNum=(curNum+num)%galUrls.length
// var url=galUrls[curNum]
// url=baseHeader+((url.charAt(0)=='/') ? '' : basePath)+url
// tmp=D.PHOTO || D.getElementById('PHOTO').contentWindow
// tmp.name=IframeName
// open("javascript:\"<img style='cursor:hand'
// onClick='parent.loadPhoto(1)' src='"+url+"'>\"",IframeName)
// D.forms[0].CURRENT.value=curNum+1
// D.all['CURRENT'].innerHTML=curNum+1
// D.getElementById('PREV').style.visibility=(curNum>0) ? 'visible' : 'hidden'
// D.getElementById('NEXT').style.visibility=((curNum+1)<url.length) ? 'visible' : 'hidden'
// return false
// }
// function fitPhoto() {
// tmp=D.PHOTO || D.getElementById('PHOTO').contentWindow
// var im=tmp.document.images[0]
// tmp.resizeTo(im.width+4,im.height+4)
// }
//-->

[cd34]

Rather interesting method to display, but, if you block the non-referral traffic, you might block legitimate requests (including google's image bots) from seeing your images.

You might do it to those specific directories as you see them hotlinked, however, since they aren't sending referrers, I can't begin to imagine how you found it.

[nate]

I specifically allow google et al carte blance. I also specifically allow thumbs. For those following along, the first is commented out - thats the entry that allows empty referrers. The next 5 lines include the "!" statement, which says we dont want to apply the "RewriteRule" at the bottom to them. The "REQUEST_URI" lines specifically allow certain files, the hotlink.jpg and some thumbnails. The last line is the RewriteRule that happens to those that don't fit the list.

Note that this is a deep and fairly specific subdirectory. My main .htaccess doesnt have the blank referer commented out... none of the sites linked from GG or the other big names are affected. I don't want to risk pissing them off by fucking with their surfers.

#RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !google\. [NC]
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteCond %{HTTP_REFERER} !msn\. [NC]
RewriteCond %{HTTP_REFERER} !yahoo\. [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?my-domain.com [NC]
RewriteCond %{REQUEST_URI} !^/hotlink\.jpg$
RewriteCond %{REQUEST_URI} !^/(.*)120120\.jpg$
RewriteCond %{REQUEST_URI} !^/(.*)90120\.jpg$
RewriteCond %{REQUEST_URI} !^/(.*)9090\.jpg$
RewriteCond %{REQUEST_URI} !^/(.*)tn_(.*)\.jpg$
RewriteRule \.(jpg|jpeg|png|gif)$ /hotlink.jpg [NC,R,L]



I toyed with this idea but thought it was a little sleasy

#RewriteCond %{HTTP:Accept-Language} (ru) [NC]
#RewriteRule .* http://my-affiliate-link [R,L]

That redirects everyone using the russian language in their browser to a paysite. I figured that was painting too broad and punishing the many for the sins of the few and commented it out. I left it in but deactivated because I might someday write a site for russian (or japanese or korean or whatever) language specifically, and I have a ready made example for redirecting them to the right place.

[nate]

[quote=since they aren't sending referrers, I can't begin to imagine how you found it. [/QUOTE]

Now thats a good question. I've emailed my host to see what their opinion is. It might be from people saving images via the right click method since at that point the image is embedded in his page.