homepage Welcome to WebmasterWorld Guest from 54.234.60.133
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
Forum Library, Charter, Moderators: Receptional & mademetop

Website Analytics - Tracking and Logging Forum

This 354 message thread spans 12 pages: < < 354 ( 1 2 3 4 5 6 7 8 [9] 10 11 12 > >     
Logs Show Surge, but Not Human?
rogerd




msg:4420176
 9:23 pm on Feb 21, 2012 (gmt 0)

On one site I work with, I've seen traffic go from 10K visits/day to 40K. The additional traffic looks human at first glance - it is captured by Google Analytics, It comes from diverse consumer IPs in the US and Europe (but not Asia), and the bounce rate is high but one out of ten visits or so loads another page.

On the non-human side, we have all of the traffic coming with no referrer, and it is all focused on a few pages that are hardly viral linkbait and would get one or two views on a good day. It's all IE (spread among 6 - 9), and a range of screen resolutions that look unusually aged (e.g., 1024x768).

Anecdotally, I've heard of a few other sites seeing this kind of traffic, but nobody knows what the purpose might be. It's not scraping, as it's the same pages that get hit. It's not intense enough to be an attack to take the site down, nor is the site likely to be the target of miscreants.

The level of traffic has gone up and down, but it's still happening.

Are any of your sites seeing this, and do you have any theories?

Any thoughts on screening this out of Analytics? It totally blows up time period comparisons.

 

eviljim




msg:4440086
 4:32 pm on Apr 12, 2012 (gmt 0)

So you do see the same IPs as return visitors at some point? I'd not done a huge analysis but the IPs always seemed unique.

Interesting.

netmeg




msg:4440120
 5:40 pm on Apr 12, 2012 (gmt 0)

Yea, I'm getting a lot of repeats now.

Sgt_Kickaxe




msg:4440642
 8:46 pm on Apr 13, 2012 (gmt 0)

SEO tools gone wild.

Sgt_Kickaxe




msg:4440669
 10:26 pm on Apr 13, 2012 (gmt 0)

I'm seeing a lot of quick hits. Visits to a page followed by heading to one of the following without waiting even one tenth of a second (read:not human)

/login.php
/register/index.htm
/crossdomain.xml <--- not sure what cms this belongs to, but it's not mine
/wp-comments-post.php <---- 500 times a day minimum and it's not a wordpress site

The quick redirect is causing the initial page to display 0.00 time on site in my stats when it immediately precedes a hit on one of the above, even though none of these(and other) files exist.

I took the drastic step of banning the offending countries to reduce this number by 80%. Now I'm working on banning just IP's/bots from the remaining countries, which is a MUCH smaller list.

netmeg




msg:4440879
 4:53 pm on Apr 14, 2012 (gmt 0)

Yea that looks like something probing for an exploit.

Shatner




msg:4441098
 6:55 pm on Apr 15, 2012 (gmt 0)

Has there been any update on this? Just discovered the discussion and I too was hit by it on Feb 21... and it's still ongoing.

Edge




msg:4441143
 10:32 pm on Apr 15, 2012 (gmt 0)

Got a live one... I just responded to an email from an owner of one of the botnet computers hitting my site - says he is innocent and wants access to my site.

Have wrote him (South Africa) and asked that he work with me to identify the virus..

I'm excited...

dataguy




msg:4441168
 11:54 pm on Apr 15, 2012 (gmt 0)

That's great Edge.

I think I've been having the same thing on one of my sites, except it's been going on for about a year now. I bought the site a year ago from someone in Turkey, and I thought that maybe he had some script set up to make it look like the site was getting more traffic, just to make it look good.

After a year, I don't think he has any incentive to continue.

As discussed throughout this thread, there are a few patterns that can be detected. I've set up a welcome message which blanks out the screen and welcomes the user to the site if these patterns exist. When they close the message box, or click the link in the message, they will be taken to the content and view it like normal.

This way real human visitors which match the pattern are only momentarily inconvenienced, but the bot never gets to my content.

Of course I don't know why the bot is hitting the site in the first place, but this at least makes me feel like I have a little bit of control over it.

Shatner




msg:4441191
 1:37 am on Apr 16, 2012 (gmt 0)

I just don't understand what's in it for them. What's the point?

It's not really hurting my site per say, just messing up my stats. And as far as I can tell they get nothing out of it.

I am worried that it keeps escalating though.

Originally I was getting hit by around 20k a day. Then it stopped. Then it came back with 40k a day. Last week it peaked out at 66k.

twitch




msg:4441371
 9:53 am on Apr 16, 2012 (gmt 0)

does anyone agree with that, that the bot is leaving the page on the external banner-image-links? some of my Banner Partner are not hapy about the extra traffic. The Bot not only attack the startpage of the my domain.. it's going on to my external Partner.

hottrout




msg:4441402
 11:20 am on Apr 16, 2012 (gmt 0)

Just since yesterday I have seen a big fall in the number hitting my site. Dwon from approx 8000-9000 visits a day to around 1500 yesterday. It might be a random drop. Just have to wait and see.

twitch




msg:4441447
 1:07 pm on Apr 16, 2012 (gmt 0)

it is the worst weekend ever... growing up to 60.000 visits a day.

netmeg




msg:4441479
 2:12 pm on Apr 16, 2012 (gmt 0)

Yea, my traffic goes up and down (although not up to 60k per day) Twitch, judging from what you posted on my site, I don't think this is quite the same thing - sounds your traffic is coming from mostly one IP?

twitch




msg:4441500
 2:42 pm on Apr 16, 2012 (gmt 0)

no, I logged over 9.000 IP adresses and it becomes more, day by day. I think it is still the same Problem... There are the same sympton like you and other talk about. The only difference is, that I never read, that the bot is following the external Image Banner Links...

eviljim




msg:4441550
 4:29 pm on Apr 16, 2012 (gmt 0)

If you don't mind annoying any direct traffic from IE, you can put a snippet of javascript in your header to block the rest of the javascript from loading. This appears to have 'solved' the problem for me (note: they still load the full HTML page, maybe even images. But not external JS).

It's a complete hack, but my traffic in analytics and adsense are now normal.

netmeg




msg:4441973
 2:07 pm on Apr 17, 2012 (gmt 0)

Well my goal is not to annoy my real direct traffic from IE. Which is still considerable.

eviljim




msg:4441977
 2:15 pm on Apr 17, 2012 (gmt 0)

Most of my traffic is referral, so it wasn't too bad for me. But yeah, with a lot of direct traffic it'd be tough.

(You COULD do it based on screen size too though).

netmeg




msg:4442421
 12:14 pm on Apr 18, 2012 (gmt 0)

I have to be careful about what I do here; the traffic spikes on this site are considerable, and I don't want to put anything in that's going to slow it down when I have a thousand or more simultaneous users hitting the database.

netmeg




msg:4442992
 2:08 pm on Apr 19, 2012 (gmt 0)

Very weird. As of this morning, I'm getting about 3 visits an hour, that's it. Wonder if it will hold.

dmember




msg:4443007
 2:32 pm on Apr 19, 2012 (gmt 0)

netmeg - Me too! This could be a good sign.

Mario155




msg:4443013
 2:52 pm on Apr 19, 2012 (gmt 0)

How do you know that there are only 3 bot visits per hour? I have been under this bot attack for so long that I cant tell which is my regular traffic anymore.

dmember




msg:4443016
 3:02 pm on Apr 19, 2012 (gmt 0)

Well, I certainly can't tell how many per hour, and I really don't care. All I know is I have only had 13 today, where normally it's in the hundreds by this time.

rogerd




msg:4443021
 3:11 pm on Apr 19, 2012 (gmt 0)

Y'all must have redirected the bots my way. My biggest bot landing page has doubled in traffic over the last couple of days. :( And, from real time analytics, I've got 43 "visitors" on the page right now.

Need some bot spray.

7_Driver




msg:4443034
 3:28 pm on Apr 19, 2012 (gmt 0)

I think it's tapering off very slowly. I'm getting around 900 per day now.

One odd thing I've noticed - Google Analytics always seems to show yesterday's bot traffic as much lower - but if you go check the numbers the following day, the number has changed.

Very strange. Like it's getting filtered or something but the filter isn't quite working.

ken_b




msg:4443038
 3:40 pm on Apr 19, 2012 (gmt 0)

Goofy traffic is WAY down for me today too, almost none. Let's hope it keeps going down. But then.....
from rogerd....
My biggest bot landing page has doubled in traffic over the last couple of days.
That's not a good sign.

.

twitch




msg:4443048
 4:02 pm on Apr 19, 2012 (gmt 0)

sorry my traffic is growing every day... take a look: [goo.gl...]

Mario155




msg:4443135
 7:59 pm on Apr 19, 2012 (gmt 0)

My bot traffic appears to be double what it was yesterday. Its getting to be just as much as it was when this started on Feb 21st. I had to remove AdSense from one of my pages because the bots kept clicking them, now I am probably going to have to remove AdSense from another page that the bots have seemed to transfer to. I am thinking about just giving up and selling my site.

This needs to be stopped now, I am tired of this. How are we going to get this to stop? Has anyone heard anything back from Google? Who else can we contact to get this fixed? Anyone at Microsoft? The FBI? Who?

ken_b




msg:4443157
 9:21 pm on Apr 19, 2012 (gmt 0)

sorry my traffic is growing every day... take a look:

Yikes, is all that surge rogue traffic?

.

phamhung




msg:4443291
 7:44 am on Apr 20, 2012 (gmt 0)

Count me to this kind of traffic. Some of our customer's sites have been facing to this traffic few days already, and the daily visitors goes up from 6K to 60K with 96% bounce rate. Many IE9 agent, but I believe that is fake too.

Edge




msg:4443372
 1:07 pm on Apr 20, 2012 (gmt 0)

OK, follow up on my South Africa "Hot Lead". Contacted the guy and he responded by doing a full scan on his computer - he was very cooperative. Ultimately reported that he found nothing on his PC, eventually he did a reboot or equivalent and his IP address changed.

So, turns out his ip address was dynamically assigned at initial connection Ė dead end.

I do appreciate his time and effort and gave him access back to my site.

Edge




msg:4443375
 1:16 pm on Apr 20, 2012 (gmt 0)

Reading here it looks like some folks are being abandoned by this botnet and others are getting their traffic. Iím getting the new traffic, so I have implemented a new strategy and can report some serious progress as I estimate that I am blocking 90% or more of this thing.

For the first time ever, Iím not going to report details on what exactly Iím doing (unless they go away forever). I apologize for my shut mouth policy on this issue and hope folks continue to share as much as they can on these forums.

So, with that said, this thing can be shutdown with a little creativity, access configuration tricks and effort.

This 354 message thread spans 12 pages: < < 354 ( 1 2 3 4 5 6 7 8 [9] 10 11 12 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Website Analytics - Tracking and Logging
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved