| 4:32 pm on Apr 12, 2012 (gmt 0)|
So you do see the same IPs as return visitors at some point? I'd not done a huge analysis but the IPs always seemed unique.
| 5:40 pm on Apr 12, 2012 (gmt 0)|
Yea, I'm getting a lot of repeats now.
| 8:46 pm on Apr 13, 2012 (gmt 0)|
SEO tools gone wild.
| 10:26 pm on Apr 13, 2012 (gmt 0)|
I'm seeing a lot of quick hits. Visits to a page followed by heading to one of the following without waiting even one tenth of a second (read:not human)
/crossdomain.xml <--- not sure what cms this belongs to, but it's not mine
/wp-comments-post.php <---- 500 times a day minimum and it's not a wordpress site
The quick redirect is causing the initial page to display 0.00 time on site in my stats when it immediately precedes a hit on one of the above, even though none of these(and other) files exist.
I took the drastic step of banning the offending countries to reduce this number by 80%. Now I'm working on banning just IP's/bots from the remaining countries, which is a MUCH smaller list.
| 4:53 pm on Apr 14, 2012 (gmt 0)|
Yea that looks like something probing for an exploit.
| 6:55 pm on Apr 15, 2012 (gmt 0)|
Has there been any update on this? Just discovered the discussion and I too was hit by it on Feb 21... and it's still ongoing.
| 10:32 pm on Apr 15, 2012 (gmt 0)|
Got a live one... I just responded to an email from an owner of one of the botnet computers hitting my site - says he is innocent and wants access to my site.
Have wrote him (South Africa) and asked that he work with me to identify the virus..
| 11:54 pm on Apr 15, 2012 (gmt 0)|
That's great Edge.
I think I've been having the same thing on one of my sites, except it's been going on for about a year now. I bought the site a year ago from someone in Turkey, and I thought that maybe he had some script set up to make it look like the site was getting more traffic, just to make it look good.
After a year, I don't think he has any incentive to continue.
As discussed throughout this thread, there are a few patterns that can be detected. I've set up a welcome message which blanks out the screen and welcomes the user to the site if these patterns exist. When they close the message box, or click the link in the message, they will be taken to the content and view it like normal.
This way real human visitors which match the pattern are only momentarily inconvenienced, but the bot never gets to my content.
Of course I don't know why the bot is hitting the site in the first place, but this at least makes me feel like I have a little bit of control over it.
| 1:37 am on Apr 16, 2012 (gmt 0)|
I just don't understand what's in it for them. What's the point?
It's not really hurting my site per say, just messing up my stats. And as far as I can tell they get nothing out of it.
I am worried that it keeps escalating though.
Originally I was getting hit by around 20k a day. Then it stopped. Then it came back with 40k a day. Last week it peaked out at 66k.
| 9:53 am on Apr 16, 2012 (gmt 0)|
does anyone agree with that, that the bot is leaving the page on the external banner-image-links? some of my Banner Partner are not hapy about the extra traffic. The Bot not only attack the startpage of the my domain.. it's going on to my external Partner.
| 11:20 am on Apr 16, 2012 (gmt 0)|
Just since yesterday I have seen a big fall in the number hitting my site. Dwon from approx 8000-9000 visits a day to around 1500 yesterday. It might be a random drop. Just have to wait and see.
| 1:07 pm on Apr 16, 2012 (gmt 0)|
it is the worst weekend ever... growing up to 60.000 visits a day.
| 2:12 pm on Apr 16, 2012 (gmt 0)|
Yea, my traffic goes up and down (although not up to 60k per day) Twitch, judging from what you posted on my site, I don't think this is quite the same thing - sounds your traffic is coming from mostly one IP?
| 2:42 pm on Apr 16, 2012 (gmt 0)|
no, I logged over 9.000 IP adresses and it becomes more, day by day. I think it is still the same Problem... There are the same sympton like you and other talk about. The only difference is, that I never read, that the bot is following the external Image Banner Links...
| 4:29 pm on Apr 16, 2012 (gmt 0)|
It's a complete hack, but my traffic in analytics and adsense are now normal.
| 2:07 pm on Apr 17, 2012 (gmt 0)|
Well my goal is not to annoy my real direct traffic from IE. Which is still considerable.
| 2:15 pm on Apr 17, 2012 (gmt 0)|
Most of my traffic is referral, so it wasn't too bad for me. But yeah, with a lot of direct traffic it'd be tough.
(You COULD do it based on screen size too though).
| 12:14 pm on Apr 18, 2012 (gmt 0)|
I have to be careful about what I do here; the traffic spikes on this site are considerable, and I don't want to put anything in that's going to slow it down when I have a thousand or more simultaneous users hitting the database.
| 2:08 pm on Apr 19, 2012 (gmt 0)|
Very weird. As of this morning, I'm getting about 3 visits an hour, that's it. Wonder if it will hold.
| 2:32 pm on Apr 19, 2012 (gmt 0)|
netmeg - Me too! This could be a good sign.
| 2:52 pm on Apr 19, 2012 (gmt 0)|
How do you know that there are only 3 bot visits per hour? I have been under this bot attack for so long that I cant tell which is my regular traffic anymore.
| 3:02 pm on Apr 19, 2012 (gmt 0)|
Well, I certainly can't tell how many per hour, and I really don't care. All I know is I have only had 13 today, where normally it's in the hundreds by this time.
| 3:11 pm on Apr 19, 2012 (gmt 0)|
Y'all must have redirected the bots my way. My biggest bot landing page has doubled in traffic over the last couple of days. :( And, from real time analytics, I've got 43 "visitors" on the page right now.
Need some bot spray.
| 3:28 pm on Apr 19, 2012 (gmt 0)|
I think it's tapering off very slowly. I'm getting around 900 per day now.
One odd thing I've noticed - Google Analytics always seems to show yesterday's bot traffic as much lower - but if you go check the numbers the following day, the number has changed.
Very strange. Like it's getting filtered or something but the filter isn't quite working.
| 3:40 pm on Apr 19, 2012 (gmt 0)|
Goofy traffic is WAY down for me today too, almost none. Let's hope it keeps going down. But then.....
That's not a good sign.
|My biggest bot landing page has doubled in traffic over the last couple of days. |
| 4:02 pm on Apr 19, 2012 (gmt 0)|
sorry my traffic is growing every day... take a look: [goo.gl...]
| 7:59 pm on Apr 19, 2012 (gmt 0)|
My bot traffic appears to be double what it was yesterday. Its getting to be just as much as it was when this started on Feb 21st. I had to remove AdSense from one of my pages because the bots kept clicking them, now I am probably going to have to remove AdSense from another page that the bots have seemed to transfer to. I am thinking about just giving up and selling my site.
This needs to be stopped now, I am tired of this. How are we going to get this to stop? Has anyone heard anything back from Google? Who else can we contact to get this fixed? Anyone at Microsoft? The FBI? Who?
| 9:21 pm on Apr 19, 2012 (gmt 0)|
|sorry my traffic is growing every day... take a look: |
Yikes, is all that surge rogue traffic?
| 7:44 am on Apr 20, 2012 (gmt 0)|
Count me to this kind of traffic. Some of our customer's sites have been facing to this traffic few days already, and the daily visitors goes up from 6K to 60K with 96% bounce rate. Many IE9 agent, but I believe that is fake too.
| 1:07 pm on Apr 20, 2012 (gmt 0)|
OK, follow up on my South Africa "Hot Lead". Contacted the guy and he responded by doing a full scan on his computer - he was very cooperative. Ultimately reported that he found nothing on his PC, eventually he did a reboot or equivalent and his IP address changed.
So, turns out his ip address was dynamically assigned at initial connection Ė dead end.
I do appreciate his time and effort and gave him access back to my site.
| 1:16 pm on Apr 20, 2012 (gmt 0)|
Reading here it looks like some folks are being abandoned by this botnet and others are getting their traffic. Iím getting the new traffic, so I have implemented a new strategy and can report some serious progress as I estimate that I am blocking 90% or more of this thing.
For the first time ever, Iím not going to report details on what exactly Iím doing (unless they go away forever). I apologize for my shut mouth policy on this issue and hope folks continue to share as much as they can on these forums.
So, with that said, this thing can be shutdown with a little creativity, access configuration tricks and effort.