[RESOLVED] PHP Anti Leeching

brooky

Hi,

I run http://www.brooky.com and have discovered that my links are being leeched by other sites!!

I'm angry about this! Does anybody know of some php code to protect my *.zip links??

I would be incredibly grateful and I'm sure my bandwith is being battered!!

thecookie

Make a download page where you send the file id. Like download.php?id=1

Before you send it you check the referer, if it isn't from your page.. don't send the file..

TheNookie

www.anti-leech.com, otherwise search on google for "anti-leech".

daphreeek

Well heres a script I threw together from bits I found round the net (the bits arent original but i did put all the bits together).

<?php
$allowed = array(
	"http://yoursite.com/downloads1.php",
	"http://yoursite.com/downloads2.php",
	"http://yoursite.com/downloads3.php",
	"http://yoursite.com/downloads4.php"
);

$downloads_folder = "/unaccessable_folder/";


$p = explode('?', $_SERVER['HTTP_REFERER']); 
$pc = count($p); 

for ($x=0; $allowed[$x]; $x++) {
	if ($p[$pc - 2] == $allowed[$x])
		$a = 1;
}

if ($a != 1) {
	echo "<br><br><br><center><b>This page is only accessable from my site!</b></center>";
	exit;
}

$mimetype = array(
    'ez'        => 'application/andrew-inset',
    'hqx'        => 'application/mac-binhex40',
    'cpt'        => 'application/mac-compactpro',
    'doc'        => 'application/msword',
    'bin'        => 'application/octet-stream',
    'dms'        => 'application/octet-stream',
    'lha'        => 'application/octet-stream',
    'lzh'        => 'application/octet-stream',
    'exe'        => 'application/octet-stream',
    'class'        => 'application/octet-stream',
    'so'        => 'application/octet-stream',
    'dll'        => 'application/octet-stream',
    'oda'        => 'application/oda',
    'pdf'        => 'application/pdf',
    'ai'        => 'application/postscript',
    'eps'        => 'application/postscript',
    'ps'        => 'application/postscript',
    'smi'        => 'application/smil',
    'smil'        => 'application/smil',
    'mif'        => 'application/vnd.mif',
    'xls'        => 'application/vnd.ms-excel',
    'ppt'        => 'application/vnd.ms-powerpoint',
    'wbxml'        => 'application/vnd.wap.wbxml',
    'wmlc'        => 'application/vnd.wap.wmlc',
    'wmlsc'        => 'application/vnd.wap.wmlscriptc',
    'bcpio'        => 'application/x-bcpio',
    'vcd'        => 'application/x-cdlink',
    'pgn'        => 'application/x-chess-pgn',
    'cpio'        => 'application/x-cpio',
    'csh'        => 'application/x-csh',
    'dcr'        => 'application/x-director',
    'dir'        => 'application/x-director',
    'dxr'        => 'application/x-director',
    'dvi'        => 'application/x-dvi',
    'spl'        => 'application/x-futuresplash',
    'gtar'        => 'application/x-gtar',
    'hdf'        => 'application/x-hdf',
    'js'        => 'application/x-javascript',
    'skp'        => 'application/x-koan',
    'skd'        => 'application/x-koan',
    'skt'        => 'application/x-koan',
    'skm'        => 'application/x-koan',
    'latex'        => 'application/x-latex',
    'nc'        => 'application/x-netcdf',
    'cdf'        => 'application/x-netcdf',
    'sh'        => 'application/x-sh',
    'shar'        => 'application/x-shar',
    'swf'        => 'application/x-shockwave-flash',
    'sit'        => 'application/x-stuffit',
    'sv4cpio'    => 'application/x-sv4cpio',
    'sv4crc'    => 'application/x-sv4crc',
    'tar'        => 'application/x-tar',
    'tcl'        => 'application/x-tcl',
    'tex'        => 'application/x-tex',
    'texinfo'    => 'application/x-texinfo',
    'texi'        => 'application/x-texinfo',
    't'            => 'application/x-troff',
    'tr'        => 'application/x-troff',
    'roff'        => 'application/x-troff',
    'man'        => 'application/x-troff-man',
    'me'        => 'application/x-troff-me',
    'ms'        => 'application/x-troff-ms',
    'ustar'        => 'application/x-ustar',
    'src'        => 'application/x-wais-source',
    'xhtml'        => 'application/xhtml+xml',
    'xht'        => 'application/xhtml+xml',
    'zip'        => 'application/zip',
    'au'        => 'audio/basic',
    'snd'        => 'audio/basic',
    'mid'        => 'audio/midi',
    'midi'        => 'audio/midi',
    'kar'        => 'audio/midi',
    'mpga'        => 'audio/mpeg',
    'mp2'        => 'audio/mpeg',
    'mp3'        => 'audio/mpeg',
    'aif'        => 'audio/x-aiff',
    'aiff'        => 'audio/x-aiff',
    'aifc'        => 'audio/x-aiff',
    'm3u'        => 'audio/x-mpegurl',
    'ram'        => 'audio/x-pn-realaudio',
    'rm'        => 'audio/x-pn-realaudio',
    'rpm'        => 'audio/x-pn-realaudio-plugin',
    'ra'        => 'audio/x-realaudio',
    'wav'        => 'audio/x-wav',
    'pdb'        => 'chemical/x-pdb',
    'xyz'        => 'chemical/x-xyz',
    'bmp'        => 'image/bmp',
    'gif'        => 'image/gif',
    'ief'        => 'image/ief',
    'jpeg'        => 'image/jpeg',
    'jpg'        => 'image/jpeg',
    'jpe'        => 'image/jpeg',
    'png'        => 'image/png',
    'tiff'        => 'image/tiff',
    'tif'        => 'image/tiff',
    'djvu'        => 'image/vnd.djvu',
    'djv'        => 'image/vnd.djvu',
    'wbmp'        => 'image/vnd.wap.wbmp',
    'ras'        => 'image/x-cmu-raster',
    'pnm'        => 'image/x-portable-anymap',
    'pbm'        => 'image/x-portable-bitmap',
    'pgm'        => 'image/x-portable-graymap',
    'ppm'        => 'image/x-portable-pixmap',
    'rgb'        => 'image/x-rgb',
    'xbm'        => 'image/x-xbitmap',
    'xpm'        => 'image/x-xpixmap',
    'xwd'        => 'image/x-xwindowdump',
    'igs'        => 'model/iges',
    'iges'        => 'model/iges',
    'msh'        => 'model/mesh',
    'mesh'        => 'model/mesh',
    'silo'        => 'model/mesh',
    'wrl'        => 'model/vrml',
    'vrml'        => 'model/vrml',
    'css'        => 'text/css',
    'html'        => 'text/html',
    'htm'        => 'text/html',
    'asc'        => 'text/plain',
    'txt'        => 'text/plain',
    'rtx'        => 'text/richtext',
    'rtf'        => 'text/rtf',
    'sgml'        => 'text/sgml',
    'sgm'        => 'text/sgml',
    'tsv'        => 'text/tab-separated-values',
    'wml'        => 'text/vnd.wap.wml',
    'wmls'        => 'text/vnd.wap.wmlscript',
    'etx'        => 'text/x-setext',
    'xsl'        => 'text/xml',
    'xml'        => 'text/xml',
    'mpeg'        => 'video/mpeg',
    'mpg'        => 'video/mpeg',
    'mpe'        => 'video/mpeg',
    'qt'        => 'video/quicktime',
    'mov'        => 'video/quicktime',
    'mxu'        => 'video/vnd.mpegurl',
    'avi'        => 'video/x-msvideo',
    'movie'        => 'video/x-sgi-movie',
    'ice'        => 'x-conference/x-cooltalk',
);

$p = explode('.', $file); 
$pc = count($p); 

header("Cache-control: private");
header("Content-Type: " . $mimetype[$p[$pc-1]]);
header("Content-Disposition: attachment; filename=$file");
readfile($file);
?>

I know it looks long but its actually a very simple script. At the start, enter the full URL of any (as many as you want) pages that can access your downloads.

Next enter your secret downloads folder (with slash at end). Make this a folder that cant be accessed via HTTP (eg: outside the public_html folder or using a .htaccess file to restrict access).

Then put all you downloads in there. You can keep them organized in folders if you wish.

Now link to files like this: downloadfile.php?file=catagory/file.zip

NOTE: dont have a front slash at the start!

THATS IT 🙂

All your downloads will only be accessable from the pages you specified.

Another good idea is to log the people who are linking to your downloads so you can visit thier site, get thier e-mail and tell them to stop 🙂

Hope that helps
- Matt

Morrigan

You can disable remote linking by using an .htaccess file on your server. Go here for instructions: http://wsabstract.com/howto/htaccess10.shtml

There's also a PHP script that you can include in all your file, it checks if someone is leeching the content of your site by using some sort of bot, download manager or "offline browser" (like Teleport Pro and others) to grab all your files. It happened to us on our site so we implemented it. Here's the code:

<?
$itime = 10; // Minimum number of seconds between visits
$ipenalty = 60; // Seconds before visitor is allowed back
$imaxvisit = 42; // Maximum visits
$iplogdir = "iplog/";
$ipfile = substr(md5($_SERVER["REMOTE_ADDR"]), -2);
$oldtime = 0;
if (file_exists($iplogdir.$ipfile)) $oldtime = filemtime($iplogdir.$ipfile);

$time = time(); 
if ($oldtime < $time) $oldtime = $time; 
$newtime = $oldtime + $itime; 

if ($newtime >= $time + $itime*$imaxvisit) 
{ 
	touch($iplogdir.$ipfile, $time + $itime*($imaxvisit-1) + $ipenalty); 
	header("HTTP/1.0 503 Service Temporarily Unavailable"); 
	header("Connection: close"); 
	header("Content-Type: text/html"); 
	echo "<html><body><p><b>Server under heavy load</b><br>"; 
	echo "Please wait $ipenalty seconds and try again</p></body></html>"; 
	exit(); 
} 
touch($iplogdir.$ipfile, $newtime);

What it does, is that it checks if a user is giving X number hits to your site in Y seconds. If it goes above that, it kills the page for Z number of seconds until the user is allowed to try again.
In the example, the user can click about 42 times for ever 420 seconds.

Be careful though, to still let the settings high enough. I actually triggered the script just by browsing and clicking really quickly 🙂

It really helped us though, we noticed in our stats that the leecher were still giving tons and tons of hits (probably started his leeching with some automated program and left it running, not realizing he was only getting the error page over and over again), but the bandwidth usage remained low 🙂

Oh, don't forget of course, to create the /iplog directory, and set the proper permissions.

leetcrew

i gonna save this page for future reference...

😉

Weedpacket

thecookie and daphreeek's methods are trivially circumvented by just forging a bogus HTTP_REFERER header. You can't trust the client to be honest.

Instead of looking at HTTP_REFERER, use something which you create. On a page which they should visit to get to your stuff (i.e.,, the page from which the stuff is supposed to be accessed), set a session variable. Then use thecookie's method of hiding the stuff behind another script - which first checks that the session variable is set before supplying the content.

gry

Just a warning for anybody implementing an approach based on the PHP code above... make sure you run some checks on the file being requested. For example, test requests like the following: "downloadfile.php?file=../.htaccess" or "downloadfile.php?file=../.htpasswd" or even "downloadfile.php?file=../downloadfile.php".