I'm not sure if this is the correct place to post this question but I'm not sure where else to ask. So recently I've run into an issue where my webmail login has been cloned by HTTrack in what I'm assuming is an effort to gather usernames and passwords from my users. From what I am seeing it looks like this site is just mirroring the content from my webmail login. What I'm looking for is a way to block the referrer on my server, when I look at the cpservd logs it appears the requests are showing the legit IP and user agent of the user connecting to this, this is a sample log, note I've replaced the domain and IP's with fake info except for the domain that is forwarding the requests:
192.168.1.100 proxy - [05/20/2020:14:47:46 -0000] "GET /cPanel_magic_revision_xxxxxxxxxx/unprotected/cpanel/fonts/open_sans/open_sans.min.css HTTP/1.1" 200 0 "https://webmail.MYDOMAIN.TLD.nzll0-0nl1ne.ml/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0" "-" "X-Forwarded-For: 192.168.1.100" 443
I'm assuming the "https://webmail.MYDOMAIN.TLD.nzll0-0nl1ne.ml/" is the referrer part, is there any way to block these requests? As you can see user agent blocking isn't going to work and IP blocking isn't going to either.
192.168.1.100 proxy - [05/20/2020:14:47:46 -0000] "GET /cPanel_magic_revision_xxxxxxxxxx/unprotected/cpanel/fonts/open_sans/open_sans.min.css HTTP/1.1" 200 0 "https://webmail.MYDOMAIN.TLD.nzll0-0nl1ne.ml/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0" "-" "X-Forwarded-For: 192.168.1.100" 443
I'm assuming the "https://webmail.MYDOMAIN.TLD.nzll0-0nl1ne.ml/" is the referrer part, is there any way to block these requests? As you can see user agent blocking isn't going to work and IP blocking isn't going to either.
