hottrout
msg:4420883 | 1:53 pm on Feb 23, 2012 (gmt 0) |
None that I can see, my hosting firm cant make sense of it either. Very strange and yet it continues.
|
ken_b
msg:4420897 | 2:34 pm on Feb 23, 2012 (gmt 0) |
Seems to be happening to me the last couple days. Just starting to dig into this. This traffic seems to all be to my home page on first glance.
Traffic goes nowhere, one page wonders.
Not a wordpress site.
|
breeks
msg:4420945 | 4:31 pm on Feb 23, 2012 (gmt 0) |
Hitting two pages on one of my sites, Removed analytics code and AdSense code from both pages. At least stats look normal again, but still getting "Occupy The Web" traffic.
|
rogerd
msg:4420969 | 5:19 pm on Feb 23, 2012 (gmt 0) |
OK, so it appears to NOT be some kind of Wordpress-focused attack.
What IS the point of this? The only explanation so far was a sort of Panda-inducing degradation of user engagement metrics, but that seems like a long shot.
Maybe an experiment of some kind? But to what end?
|
ken_b
msg:4420998 | 6:02 pm on Feb 23, 2012 (gmt 0) |
| The only explanation so far was a sort of Panda-inducing degradation of user engagement metrics, but that seems like a long shot. |
|
I've already been beaten to death by Panda, can't imagine this could make it much worse.
This is hitting my homepage only, normally a very low traffic page. Most of my traffic enters on other pages.
Just for reference, my site is totally static pages, all hand built one at a time, by me.
|
netmeg
msg:4421004 | 6:14 pm on Feb 23, 2012 (gmt 0) |
Well take AdSense off that page, if you're running it. I went and put mine back on the rest of my site after it became clear it was only hitting one page. Still, it's annoyance, and it's screwing up my Analytics. I would like it to stop, please.
|
ken_b
msg:4421009 | 6:21 pm on Feb 23, 2012 (gmt 0) |
| Well take AdSense off that page, |
|
Yeah, already did that yesterday. Annoying is right.
|
ponyboy96
msg:4421011 | 6:24 pm on Feb 23, 2012 (gmt 0) |
I have a client getting similar type zombie traffic. According to analytics, the traffic comes from organic traffic with exact match keywords. It looks something like "keyword" and time on site is 0, bounce rate is 100. We're are getting over a hundred thousand of these per month with all kinds of keywords. Nothing unusual from a OS, browser, IP, etc... perspective that would single out the source.
Obviously this makes traffic stats look great for SEO, but conversion is in the toilet. We don't know what to make of it other than some kind of bot. I have been wondering if it's been the pre-fetch feature on Google and other programs.
|
netmeg
msg:4421017 | 6:39 pm on Feb 23, 2012 (gmt 0) |
See this sounds somewhat different. None of mine have a referrer, so no keywords are involved - it all looks like direct traffic.
|
rogerd
msg:4421022 | 6:44 pm on Feb 23, 2012 (gmt 0) |
Same here, all direct traffic with no referrer.
|
ken_b
msg:4421026 | 6:46 pm on Feb 23, 2012 (gmt 0) |
| None of mine have a referrer, so no keywords are involved - it all looks like direct traffic. |
|
That's what mine looks like too.
|
scooterdude
msg:4421031 | 6:58 pm on Feb 23, 2012 (gmt 0) |
Hmm
who would want to be an impressions based advertiser, publisher or network operator at this time, I was thinking off moving in that direction, alas !
|
dmember
msg:4421132 | 11:29 pm on Feb 23, 2012 (gmt 0) |
I, too am a victim of this garbage. 6000K hits a day on my home page, where I used to get 10. It started out of the blue three days ago. These hits are generated from all countries, cities, you name it. The weird thing is, most are coming from IE 9.0 with a significant amount of 8.0, 7.0, 6.0, and so on. The screen resolutions vary, and the flash version varies. Most screens res is 1024x768, but there is still a significant amount that show 1280x1024, 1440x900, 819x614, 800x600, 1280x800, 1152x864 and several others. As far as I can tell, most of them are windows based, with a mac hit here and there. On the "Java Support" reference, it shows about 50% supported. Just weird, and extremely annoying.
I am not sure what to do at this point to take a giant dump on these folks, but I am all ears.
|
dmember
msg:4421133 | 11:33 pm on Feb 23, 2012 (gmt 0) |
Also, ALL of mine show 'direct hit'. I need a counter punch!
|
netmeg
msg:4421181 | 1:25 am on Feb 24, 2012 (gmt 0) |
Yea @dmember that's exactly the profile I'm seeing. But from everywhere I've checked and asked, there's absolutely nothing that can be done (that won't take out either real users and/or search engine bots) Someone has come up with something that can't be killed without collateral damage. And slowly but surely, it's gonna eat the web.
|
seoskunk
msg:4421191 | 3:05 am on Feb 24, 2012 (gmt 0) |
Ultimately this traffic needs to be filtered out of Analytics and then there is no reward, however its my belief this is a bot and therefore won't follow javascript so I wrote a simple php script that should stop it happening based on the common factor of no referrer
For those with static sites add php as an application in .htaccess
AddType application/x-httpd-php .html .htm
Then simply add this to top of files being hit
<?php
if ($_SERVER["HTTP_REFERER"] == "") {
$page=("http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]);
echo "<script type=\"text/javascript\">
<!--
window.location = \"$page\"
//-->
</script>";
}
?>
Its good for all major SE's too
|
dmember
msg:4421197 | 3:21 am on Feb 24, 2012 (gmt 0) |
seoskunk - Thanks a bunch. If this works, you will be my new best friend.
|
lucy24
msg:4421200 | 3:41 am on Feb 24, 2012 (gmt 0) |
| According to analytics, the traffic comes from organic traffic with exact match keywords. It looks something like "keyword" and time on site is 0, bounce rate is 100. |
|
Can GA tell if they really came from a g### search, or if it's just another forged referer? Seems like it could just be the latest spin on the auto-referer-- the ones where request and referer are the same page, even if your site doesn't work that way.
They're not visiting the page "cold". Someone made a preliminary sweep and decided which page to target. So they know what the keywords are. With me, it was the fattest page (counting only html) within the first two links from the front page. I've just done some tweaking, and am waiting to see if the robots turn their attention to the second-fattest page, or to something at three links deep.
|
g1smd
msg:4421246 | 7:45 am on Feb 24, 2012 (gmt 0) |
| AddType application/x-httpd-php .html .htm |
|
Some sites will require using AddHandler rather than AddType.
|
Seb7
msg:4421253 | 8:34 am on Feb 24, 2012 (gmt 0) |
If its all IE traffic, it sounds like a script is controlling an IE window. My guess is that javascript does run, and cookies probably stick too. Can anyone confirm this?
|
g1smd
msg:4421255 | 8:37 am on Feb 24, 2012 (gmt 0) |
If true, you should be able to generate a message that the user of the infected machine can read.
|
incrediBILL
msg:4421257 | 8:46 am on Feb 24, 2012 (gmt 0) |
Assuming it's really IE and not just a user agent string being used.
Easy test would be to install some javascript to perform a specific function that reports back to the server assuming it's really IE.
Knowing this would help determine how to address the situation, possibly even figure out a way to notify the computer owner they're infected!
|
netmeg
msg:4421409 | 5:06 pm on Feb 24, 2012 (gmt 0) |
I don't know how to write that myself, but if someone else does, we can test it on my site.
|
seoskunk
msg:4421503 | 10:55 pm on Feb 24, 2012 (gmt 0) |
OK this script will test if a bot or a browser.....
Create a file called zombietest.php at root level and copy this into it.. remember to set path to file
<?php
$ip=$_SERVER['REMOTE_ADDR'];
$filename="/path-to-file/zombie.txt"; //path to file
$content="IP $ip is a REAL Browser\n";
if (file_exists($filename)) {
$handle = fopen($filename, 'a');
fwrite($handle, $content,strlen($content));
fclose($handle);
}
?>
Next Add this to the page getting hit at the bottom...
<?php
$ip=$_SERVER['REMOTE_ADDR'];
$filename="/path-to-file/zombie.txt";
$content="Is IP $ip a Browser?\n";
if (file_exists($filename)) {
$handle = fopen($filename, 'a');
fwrite($handle, $content,strlen($content));
fclose($handle);
} else {
$handle = fopen($filename, 'w');
fwrite($handle, $content,strlen($content));
fclose($handle);
}
?>
<script type="text/JavaScript">
<!--
var zombietest = "zombietest.php";
document.write('<iframe src="/' + zombietest + '" width="1px" height="1px"></iframe>');
//-->
</script>
Thats it now check results by opening text file called zombie.txt
I have an update on earlier script I posted as well
|
seoskunk
msg:4421518 | 11:49 pm on Feb 24, 2012 (gmt 0) |
Th other script I wrote I ammended to this
<?php
if ($_SERVER["HTTP_REFERER"] == "") {
$pg=("http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]);
echo "<script type=\"text/javascript\">
<!--
window.location = \"$pg\"
//-->
</script>";
} else {
//my content
}
Anyway it seemed to work bounce rates down from 38% to 25% time on site increased massively and page views are up!
|
incrediBILL
msg:4421688 | 1:16 pm on Feb 25, 2012 (gmt 0) |
I have an idea how to trap these these attacks, but it would require multiple sites being attacked to get the sample I need to make it work and I've only heard of a couple of sites having this issue.
An insufficient sampling
How do you find 20+ sites currently under attack as most webmasters don't even know it's happening until it's already past?
|
netmeg
msg:4421697 | 1:59 pm on Feb 25, 2012 (gmt 0) |
Dunno, are we sure it's ever past? I haven't heard of it *stopping* yet.
|
ken_b
msg:4421702 | 2:40 pm on Feb 25, 2012 (gmt 0) |
I haven't taken any actions beyond removing AdSense from the targeted page.
On my site, it looks like this strange traffic is slowly dropping off. It has dropped off about 10% for each of the last two days, so now down about 20% from the peak. Hope it keeps going down, only faster.
Anyone else seeing a drop in this traffic?
|
rogerd
msg:4421705 | 2:53 pm on Feb 25, 2012 (gmt 0) |
Yes, ken_b, though a week or two ago it dropped to almost nothing and then returned.
|
dmember
msg:4421708 | 3:18 pm on Feb 25, 2012 (gmt 0) |
I applied the solution from seoskunk yesterday. After checking this morning I still had 1300 direct hits from today. I do believe there might be a decrease of some sort, but not sure at this point.
I want to keep my analytics data on there to track it, but have removed adsense.
|
dmember
msg:4421978 | 6:18 pm on Feb 26, 2012 (gmt 0) |
Bummer. Still getting about the same amount of traffic as before. It appears that dracula might be hitting my site from Transylvania :)
|
|
