Hi,

How do I track which user is putting on warez? I use locate to search files with extensions like .mp3, .wav, .exe, .r00, .r01, .zip, and then if I am supicious any one of them, I would normally remove the permission, and eamil the user to find out.

But what's the besy way to find out?

also, my server traffic went doubled since 2 hours ago, how do I find out what file/website is being transferred and consuming all the bandwidth?

thanks.....:)

Do you have too many sites to just glance at peoples log files to see who has a large log file today? Otherwise I'd suggest doing what you are doing and just loking for likely file types, such as mpgs.

I know many stats reports, like livestats do offer a site by site display of bandwidth used, and on windows you could use the performance monitor to watch things like processes which would be likely clues to your bandwidth usage perhaps. Unix I would not know what to tell you.

Good luck with it.

you can try to download the supicious file and see what it is.

thanks for the reply!! I will try it.

the thing is, one of the file I am suspicious about ... is 400MB! there is no way that I want to download and find out what it is.:(

just unzip the file, then you will find information about it. Almost all warez files contain .nfo documents with info about it.

see whos transfering what, check webstats, it will be pretty clear then

btw, rarely can you just download and unzip, they will make a lot of images, that acually look real, like a little :) and it will be a big pic, you need to know more details. But still you should be able to figure it out.

thanks for all the input!!:D

i am just wondering if there is a command can be used in shelll showing what file is currently being transferred?... just like 'top' in shell showing alll the running process....:confused:

400mb per file is really huge. There seems only two types of files which may fit that profile. Either Video Files or Commercial applications which chances are pirated.

Being in the shareware market for a couple of years now, I have never seen any freeware or shareware or demoware in that size region.

Not sure if there is a way to show the current transferred files but you might want to 'Last' the log file of the suspected host. Or if you can, just browse around their website, there should be tale tail signs.

If you know the file name of the file, you could always check that name against some search engine or something. You should be able to tell if it is warez. They usually get hosted on several sites.

Originally posted by eddy2099
400mb per file is really huge. There seems only two types of files which may fit that profile. Either Video Files or Commercial applications which chances are pirated.


Don't forget free Linux distributions which are perfectly legal.

Yeah, if it's 400MB my guess is someone is bootlegging something, and a few dozen people have the link to it. I'd look into it I were you, as if someone is offering say a bootleg of the latest Austin Powers flik, or a Windows XP download, on post to a newsgroup and your bandwidth could really suffer!

Eh, I may just be being paranoid.

well, if you know where the file is, and what domain is hosting it, I'd check the site out and see if they're blatantly offering it for download and it's pirated.

I'd definitely write an email to the owner of the domain and find out wtf is going on.

Looks like Bobby is in trouble ..... again!? Good luck with your Internal Investigation. I hope its just a banned commercial or few. :rolleyes:

Hy,

if you're using the Apache web server then enable the server-status handler in your apache conf file. Then send a SIGHUP to your Apache and check http://www.yourdomain.tld/server-status.

There you can see what every single process of your apache is doing, and which one is sending the files out into the world.

Greetings
Oliver

I'm not sure in the most recent versions of apache, but I do recall that to get /status (or /server-status) to work, you have to configure in support for scoreboard.h. That would either be in the Makefile/Configure, or in a .conf somewhere.

The last thing to do is look at the logs for past transfers. A quick one-line awk command can monitor your logs for large transfers in real-time, however enabling scoreboard support is still the easiest way.

$0.02

That's from a technical perspective. The legal answer to how to tell if a user is putting on wares is:

You don't.

and you don't want to know.

The smartest thing from a perspective of liability you could possibly do is not police it at all. From a legal perspective, if someone is hosting copyrighted content (images or warez) on one of your hosting products, you have no liability -until- the copyright owner puts you on legal notice. Even then, their notice must follow certain procedures (which they normally do). At that point, you contact the customer and demand they remove the infringing content or you will be forced to disable their account.

Precedence has been set that companies which attempt to police the content on their servers are immediately liable for infringements. That's one place where being negligent is beneficial, and technically, it makes sense. There's no good way to police hundreds, or even thousands of servers for what is on them.

Bob, I guess you have never delt with warez before. Do you have any idea how much bandwidth is used. I have had my line tapped out 100 percent just from one group of software. You just forget about it, and you are going to loose a hell of a lot of money.

Originally posted by davidb
Bob, I guess you have never delt with warez before. Do you have any idea how much bandwidth is used. I have had my line tapped out 100 percent just from one group of software. You just forget about it, and you are going to loose a hell of a lot of money.


And thats why you cap the connection they are on if you suspect something....

I doubt you offer unlimited bandwidth... So when they reach the transfer, cut'em off.. End of story...

well Bob has a point (unless its a free host)

if the customer is paying why check it at all
just bill em whatever you charge for bandwidth overages and go on business as usual

Because its illegal. And its NOT just software. I have an example. A paid customer was selling Cracked direct TV cards. I didnt check that site. I got a nice little letter from the Direct TV lawyer, more or less saying how anyone involved faced prison+fines in excess of 250,000. I also got a nice phone call and email. I had to have a lawyer send a responce(not had to but it was the smart thing to do). IF any of this had gone to any type of trial, it would of cost at least 60k, even if found not guilty. That change your mind a little?

I have this, from where?
Run this from cron in root twice a day and it will mail you results as to what is on your servers. Remove what you don't care about as I look for some boards also. Add your email address:

========================================

#!/bin/sh
# Locate & E-mail banned script results

updatedb
(locate Ultimate.cgi; locate cutecast.pl; locate myboard.cgi; locate anyboard.cgi; locate teemz.cgi; locate database.cgi; locate cfdirectory.cgi; locate db_TalkToMe.cgi; locate message.cgi; locate iforum.cgi; locate talkshop.cgi; locate dboard.pl; locate ruboard.pl; locate ib.cgi; locate colloquius.pl; locate forum6.main.cgi; locate index.cgi; locate dcboard.cgi; locate forum.cgi; locate WMCboard.cgi; locate xtartforum.pl; locate beebalm.cgi; locate zcboard.cgi; locate admin.pl; locate message.pl; locate webbbs_form.pl; locate forum.pl; locate netboard.cgi; locate wwwboard.pl; locate x-forum.cgi; locate ikonboard.cgi; locate ultimatebb.cgi; locate YaBB.cgi; locate YaBB.pl ) | mail -s Banned-Forums banned@7777ort1.net
locate lstmrge.cgi | mail -s Banned-Spam-Tools banned@7777ort1.net
locate phpshell.php | mail -s PHPShell banned@77771.net
locate nph-proxy.cgi | mail -s Banned-Proxy-Utils banned@7777ort1.net
locate *.mp3 | mail -s MP3s banned@77771.net
locate *.rar | mail -s RAR-Files banned@7777rt1.net
(locate warez; locate ftf; locate vcd; locate svcd; locate xxx; locate telesync; locate screener; locate divx; locate *.nfo) | mail -s warez banned@7777t1.net
locate *.zip | mail -s zip-files banned@7777ort1.net
(locate *.avi; locate *.mov; locate *.mpeg; locate *.mpg; locate *.rm; locate *.ram; locate *.divx; locate *.wmv; locate *.asf ) | mail -s Movie-Files banned@7777ort1.net
locate adcycle.cgi | mail -s ad-systems banned@777ort1.net
find / -size +5000000c | mail -s Over5MB banned@s7777.net

==================================

Going Postal, excellent information and looks like a sweet maintenance tool. :agree:

Great script and list. To further add to its effectiveness how would you add a size indicator such as list any files over 200 MB?
Thanks.

Perhaps my post was misunderstood. The first of my posts was from a technical side, the second was from a legal side. The legal post was bandwidth-independant, just simply stating the legal side.

I have dealt with warez before, but I'm operating in a different network model--our network has several Gbps of spare bandwidth, so one customer's traffic is irrelevant to the entire network. That being said, I definately remember the days of being on a single 10 Mbps line (in 1995) when one customer could spoil the fun for everyone.

If they're using all of your bandwidth, you have a tough situation. You can't really upgrade your network to support them because you know they won't be pushing that much for long, thus not worth the investment. If you just shut them off, you risk them complaining about you. In my experience, the best thing to do is contact them and tell them that hosting warez is illegal, and you are willing to give them until the end of the day to take them down, for example. Bear in mind that most warez people tend to host them to earn favor from other warez sites, and not because they make any money from it. They'll either do what you ask, or feel the pressure and go elsewhere.

Then again, there are exceptions to every rule, all you can do is your best to act in the interest of your broader customer base.

$0.02

Originally posted by ccreighton
Great script and list. To further add to its effectiveness how would you add a size indicator such as list any files over 200 MB?
Thanks.

Well, try:

locate xyz | xargs du | sort -n -r

That will give you a list of the files sorted by size (largest coming first). If you have a modern version of du, use 'du -h' instead of just 'du' to give a more human-friendly output. Bear in mind that xargs essentially slaps the whole thing on one command line, so you may get a too long exec error--in that case just separate some of your locates into new commands. Once you have this, you can do whatever you want with the output file, but your big files will be listed first, and you still won't lose sight of the small ones.

I know I answered a slightly different question, but I thought it might still be useful.

to find ANY file on your computer larger than 200 Megs, do:

find / -size +200000000c > filename_to_save_results

Running find takes a bit longer, but it is certainly accurate, and parses the entire filesystem. Change the 200000000 to whatever size you want to look for.

Hope this helps!

Thanx BobFarmer

I added this line to my previous post to check for files over 5MB.

find / -size +5000000c | mail -s Over5MB banned@s7777.net

what i would do if i noticed some suspicious files or alot of traffic i would take the newest customer or most suspicious few and cd to the location of thier access apache log and run this.

cat access_log | grep 08/Aug/2002 -c | mail -s "site.com's hits today" you@youremail.com

that will show how many hits

or if you want to see just all the log for today which cuts it down alot run

cat access_log | grep 08/Aug/2002 | mail -s "site.com's logs today" you@youremail.com
or to save to server
cat access_log | grep 08/Aug/2002 > /path/to/save/to/domain.txt

hope those help those are just some basic ways i would look into it.