homepage Welcome to WebmasterWorld Guest from 54.221.175.46
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
Forum Library, Charter, Moderators: Receptional & mademetop

Website Analytics - Tracking and Logging Forum

This 354 message thread spans 12 pages: < < 354 ( 1 [2] 3 4 5 6 7 8 9 10 ... 12 > >     
Logs Show Surge, but Not Human?
rogerd




msg:4420176
 9:23 pm on Feb 21, 2012 (gmt 0)

On one site I work with, I've seen traffic go from 10K visits/day to 40K. The additional traffic looks human at first glance - it is captured by Google Analytics, It comes from diverse consumer IPs in the US and Europe (but not Asia), and the bounce rate is high but one out of ten visits or so loads another page.

On the non-human side, we have all of the traffic coming with no referrer, and it is all focused on a few pages that are hardly viral linkbait and would get one or two views on a good day. It's all IE (spread among 6 - 9), and a range of screen resolutions that look unusually aged (e.g., 1024x768).

Anecdotally, I've heard of a few other sites seeing this kind of traffic, but nobody knows what the purpose might be. It's not scraping, as it's the same pages that get hit. It's not intense enough to be an attack to take the site down, nor is the site likely to be the target of miscreants.

The level of traffic has gone up and down, but it's still happening.

Are any of your sites seeing this, and do you have any theories?

Any thoughts on screening this out of Analytics? It totally blows up time period comparisons.

 

hottrout




msg:4420883
 1:53 pm on Feb 23, 2012 (gmt 0)

None that I can see, my hosting firm cant make sense of it either. Very strange and yet it continues.

ken_b




msg:4420897
 2:34 pm on Feb 23, 2012 (gmt 0)

Seems to be happening to me the last couple days. Just starting to dig into this. This traffic seems to all be to my home page on first glance.

Traffic goes nowhere, one page wonders.

Not a wordpress site.

breeks




msg:4420945
 4:31 pm on Feb 23, 2012 (gmt 0)

Hitting two pages on one of my sites, Removed analytics code and AdSense code from both pages. At least stats look normal again, but still getting "Occupy The Web" traffic.

rogerd




msg:4420969
 5:19 pm on Feb 23, 2012 (gmt 0)

OK, so it appears to NOT be some kind of Wordpress-focused attack.

What IS the point of this? The only explanation so far was a sort of Panda-inducing degradation of user engagement metrics, but that seems like a long shot.

Maybe an experiment of some kind? But to what end?

ken_b




msg:4420998
 6:02 pm on Feb 23, 2012 (gmt 0)

The only explanation so far was a sort of Panda-inducing degradation of user engagement metrics, but that seems like a long shot.


I've already been beaten to death by Panda, can't imagine this could make it much worse.

This is hitting my homepage only, normally a very low traffic page. Most of my traffic enters on other pages.

Just for reference, my site is totally static pages, all hand built one at a time, by me.

netmeg




msg:4421004
 6:14 pm on Feb 23, 2012 (gmt 0)

Well take AdSense off that page, if you're running it. I went and put mine back on the rest of my site after it became clear it was only hitting one page. Still, it's annoyance, and it's screwing up my Analytics. I would like it to stop, please.

ken_b




msg:4421009
 6:21 pm on Feb 23, 2012 (gmt 0)

Well take AdSense off that page,


Yeah, already did that yesterday. Annoying is right.

ponyboy96




msg:4421011
 6:24 pm on Feb 23, 2012 (gmt 0)

I have a client getting similar type zombie traffic. According to analytics, the traffic comes from organic traffic with exact match keywords. It looks something like "keyword" and time on site is 0, bounce rate is 100. We're are getting over a hundred thousand of these per month with all kinds of keywords. Nothing unusual from a OS, browser, IP, etc... perspective that would single out the source.

Obviously this makes traffic stats look great for SEO, but conversion is in the toilet. We don't know what to make of it other than some kind of bot. I have been wondering if it's been the pre-fetch feature on Google and other programs.

netmeg




msg:4421017
 6:39 pm on Feb 23, 2012 (gmt 0)

See this sounds somewhat different. None of mine have a referrer, so no keywords are involved - it all looks like direct traffic.

rogerd




msg:4421022
 6:44 pm on Feb 23, 2012 (gmt 0)

Same here, all direct traffic with no referrer.

ken_b




msg:4421026
 6:46 pm on Feb 23, 2012 (gmt 0)

None of mine have a referrer, so no keywords are involved - it all looks like direct traffic.

That's what mine looks like too.

scooterdude




msg:4421031
 6:58 pm on Feb 23, 2012 (gmt 0)

Hmm

who would want to be an impressions based advertiser, publisher or network operator at this time, I was thinking off moving in that direction, alas !

dmember




msg:4421132
 11:29 pm on Feb 23, 2012 (gmt 0)

I, too am a victim of this garbage. 6000K hits a day on my home page, where I used to get 10. It started out of the blue three days ago. These hits are generated from all countries, cities, you name it. The weird thing is, most are coming from IE 9.0 with a significant amount of 8.0, 7.0, 6.0, and so on. The screen resolutions vary, and the flash version varies. Most screens res is 1024x768, but there is still a significant amount that show 1280x1024, 1440x900, 819x614, 800x600, 1280x800, 1152x864 and several others. As far as I can tell, most of them are windows based, with a mac hit here and there. On the "Java Support" reference, it shows about 50% supported. Just weird, and extremely annoying.

I am not sure what to do at this point to take a giant dump on these folks, but I am all ears.

dmember




msg:4421133
 11:33 pm on Feb 23, 2012 (gmt 0)

Also, ALL of mine show 'direct hit'. I need a counter punch!

netmeg




msg:4421181
 1:25 am on Feb 24, 2012 (gmt 0)

Yea @dmember that's exactly the profile I'm seeing. But from everywhere I've checked and asked, there's absolutely nothing that can be done (that won't take out either real users and/or search engine bots) Someone has come up with something that can't be killed without collateral damage. And slowly but surely, it's gonna eat the web.

seoskunk




msg:4421191
 3:05 am on Feb 24, 2012 (gmt 0)

Ultimately this traffic needs to be filtered out of Analytics and then there is no reward, however its my belief this is a bot and therefore won't follow javascript so I wrote a simple php script that should stop it happening based on the common factor of no referrer

For those with static sites add php as an application in .htaccess

AddType application/x-httpd-php .html .htm

Then simply add this to top of files being hit


<?php
if ($_SERVER["HTTP_REFERER"] == "") {
$page=("http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]);
echo "<script type=\"text/javascript\">
<!--
window.location = \"$page\"
//-->
</script>";
}
?>


Its good for all major SE's too

dmember




msg:4421197
 3:21 am on Feb 24, 2012 (gmt 0)

seoskunk - Thanks a bunch. If this works, you will be my new best friend.

lucy24




msg:4421200
 3:41 am on Feb 24, 2012 (gmt 0)

According to analytics, the traffic comes from organic traffic with exact match keywords. It looks something like "keyword" and time on site is 0, bounce rate is 100.

Can GA tell if they really came from a g### search, or if it's just another forged referer? Seems like it could just be the latest spin on the auto-referer-- the ones where request and referer are the same page, even if your site doesn't work that way.

They're not visiting the page "cold". Someone made a preliminary sweep and decided which page to target. So they know what the keywords are. With me, it was the fattest page (counting only html) within the first two links from the front page. I've just done some tweaking, and am waiting to see if the robots turn their attention to the second-fattest page, or to something at three links deep.

g1smd




msg:4421246
 7:45 am on Feb 24, 2012 (gmt 0)

AddType application/x-httpd-php .html .htm

Some sites will require using AddHandler rather than AddType.

Seb7




msg:4421253
 8:34 am on Feb 24, 2012 (gmt 0)

If its all IE traffic, it sounds like a script is controlling an IE window. My guess is that javascript does run, and cookies probably stick too. Can anyone confirm this?

g1smd




msg:4421255
 8:37 am on Feb 24, 2012 (gmt 0)

If true, you should be able to generate a message that the user of the infected machine can read.

incrediBILL




msg:4421257
 8:46 am on Feb 24, 2012 (gmt 0)

If its all IE traffic


Assuming it's really IE and not just a user agent string being used.

Easy test would be to install some javascript to perform a specific function that reports back to the server assuming it's really IE.

Knowing this would help determine how to address the situation, possibly even figure out a way to notify the computer owner they're infected!

netmeg




msg:4421409
 5:06 pm on Feb 24, 2012 (gmt 0)

I don't know how to write that myself, but if someone else does, we can test it on my site.

seoskunk




msg:4421503
 10:55 pm on Feb 24, 2012 (gmt 0)

OK this script will test if a bot or a browser.....

Create a file called zombietest.php at root level and copy this into it.. remember to set path to file


<?php
$ip=$_SERVER['REMOTE_ADDR'];
$filename="/path-to-file/zombie.txt"; //path to file
$content="IP $ip is a REAL Browser\n";
if (file_exists($filename)) {
$handle = fopen($filename, 'a');
fwrite($handle, $content,strlen($content));
fclose($handle);
}
?>


Next Add this to the page getting hit at the bottom...


<?php
$ip=$_SERVER['REMOTE_ADDR'];
$filename="/path-to-file/zombie.txt";
$content="Is IP $ip a Browser?\n";
if (file_exists($filename)) {
$handle = fopen($filename, 'a');
fwrite($handle, $content,strlen($content));
fclose($handle);
} else {
$handle = fopen($filename, 'w');
fwrite($handle, $content,strlen($content));
fclose($handle);
}


?>
<script type="text/JavaScript">
<!--
var zombietest = "zombietest.php";
document.write('<iframe src="/' + zombietest + '" width="1px" height="1px"></iframe>');
//-->
</script>



Thats it now check results by opening text file called zombie.txt

I have an update on earlier script I posted as well

seoskunk




msg:4421518
 11:49 pm on Feb 24, 2012 (gmt 0)

Th other script I wrote I ammended to this


<?php
if ($_SERVER["HTTP_REFERER"] == "") {

$pg=("http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]);
echo "<script type=\"text/javascript\">
<!--
window.location = \"$pg\"
//-->
</script>";


} else {

//my content

}



Anyway it seemed to work bounce rates down from 38% to 25% time on site increased massively and page views are up!

incrediBILL




msg:4421688
 1:16 pm on Feb 25, 2012 (gmt 0)

I have an idea how to trap these these attacks, but it would require multiple sites being attacked to get the sample I need to make it work and I've only heard of a couple of sites having this issue.

An insufficient sampling

How do you find 20+ sites currently under attack as most webmasters don't even know it's happening until it's already past?

netmeg




msg:4421697
 1:59 pm on Feb 25, 2012 (gmt 0)

Dunno, are we sure it's ever past? I haven't heard of it *stopping* yet.

ken_b




msg:4421702
 2:40 pm on Feb 25, 2012 (gmt 0)

I haven't taken any actions beyond removing AdSense from the targeted page.

On my site, it looks like this strange traffic is slowly dropping off. It has dropped off about 10% for each of the last two days, so now down about 20% from the peak. Hope it keeps going down, only faster.

Anyone else seeing a drop in this traffic?

rogerd




msg:4421705
 2:53 pm on Feb 25, 2012 (gmt 0)

Yes, ken_b, though a week or two ago it dropped to almost nothing and then returned.

dmember




msg:4421708
 3:18 pm on Feb 25, 2012 (gmt 0)

I applied the solution from seoskunk yesterday. After checking this morning I still had 1300 direct hits from today. I do believe there might be a decrease of some sort, but not sure at this point.

I want to keep my analytics data on there to track it, but have removed adsense.

dmember




msg:4421978
 6:18 pm on Feb 26, 2012 (gmt 0)

Bummer. Still getting about the same amount of traffic as before. It appears that dracula might be hitting my site from Transylvania :)

This 354 message thread spans 12 pages: < < 354 ( 1 [2] 3 4 5 6 7 8 9 10 ... 12 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved