A couple of possibilities:

- Someone else has your tracking code on their pages (perhaps from copying and pasting your content).
- People might be viewing a 'modified' version of your page due to software installed on their own PC - perhaps some kind of spyware that modifies links.

The easiest way to figure this out is to look at individual visitors who exited on the weird links and see which pages they viewed/were on when they exited. Is it one visitor or more?

Is it a 'log spam' type attack?
Lately I'm seeing lots of registered hits on my outgoing links (even though the links appear to be broken) similar to an item mentioned in the thread you refer to.

I use AXS to track my outgoing links and I'm seeing dodgy web addresses being appended to the real link!

I've just been searching and it seems others are also seeing this - but no solution yet.

I forgot to ask whether you are using a javascript-based tracker or a server-side redirector. I assumed the former in my comments above.

Hey thanks for the responses guys!….. yes I use AXS
If I didn’t have it I would be clueless (so I think……) in the cold right now I realize it’s an old program but I believe that the post I was referring to was using the same program I am using
Added note…… I see this as a bot hitting my sites out going links 139 a second (note I don’t track my internal links just outgoing java tracking links with the pixl tracker) and then just leaving me alone for a few days only to come back under a new IP address
Please help
Thanks
Brad

If you think it's 'malicious' activity (one possibility is in phishing emails - they use other people's redirectors to disguise the destination (I've seen Google's redirectors used in this way a number of times)) you have a few possibilities:

- Only allow redirects for URLs you specify
- Attempt to secure the script by checking for valid referrers or some other mechanism. Referrers aren't great for security since they are essentially user-input
- In the short term you could rename the redirection script to something else which would stop this particular bot, at least temporarily

Hope that's of some use.

This is a really good article about how to block bad bots from coming to your site using your htaccess file.

[javascriptkit.com...]

Thanks for that info, but I don't think it will help in this case - if the OP is seeing what I'm seeing.

The re-directs seem to be coming from normal and different visitors - perhaps their PCs have been taken over (zombie style attack)? The user agent shows as normal IE7 etc. so couldn't be blocked using .htaccess.

Searching on one sample of the generated text shows others are also having the same traffic in their logs. It doesn't seem to be only an AXS problem reading from the other forum comments found in these results.

[edited by: encyclo at 11:52 pm (utc) on Feb. 18, 2008]
[edit reason] no specifics please, see terms of service [/edit]

Thanks for that link Badger At least we know we are not alone here.

>>The re-directs seem to be coming from normal and different visitors - perhaps their PCs have been taken over (zombie style attack)? The user agent shows as normal IE7 etc. so couldn't be blocked using .htaccess.<<

I am seeing the same thing but its happening in one second intervals I counted 139 on one occasion all from the same IP hitting different links and generating a new redirect for each one.

You would think this would have to be malicious in some way but how? A new way of highjacking?

>>You would think this would have to be malicious in some way but how? A new way of highjacking?

The URL's seem to be malformed so all you seem to get is a 404 error from the site the link originally goes to.

i.e. My site links to www.normal.com and and the hijacked link goes to www.normal.combrokenspamlink.com just causing a 404!?

I guess the idiots either don't know what they are doing or they are attempting to crack the system?

From the sites that I monitor that were previously affected by this - things seem to have gone quiet :)
(Hopefully not the kiss of death!)

Perhaps some PCs that were carrying out the attacks have been cleaned up or action taken by their provider?

Anyway things look much better to me...
Is that what others are seeing?

>> Is that what others are seeing?

Yes, we had these junk URL injection links during January, but not for the last week or two. The Params in our URLs were replaced with links to the host sites, I suppose in the hope that something our end would "bundle" them into our content which would be spidered and boost their rankings. All such links appears to have two bogus folders added to the URL, and I expect those were used (or intended to be used!) as the tracker code to identify those that worked, and those that didn't - so might be worth being cautious about just trying one!

i.e. in the example above

http://www.example.com.tr/joomla/mambots/content

looks like a reasonable URL to me, but the extra two folders:

Fugi / vipo

don't!

The inbound IP addresses of these attacks were from all over the world, and WhoIs suggested that they were bona fide, so I expect they were infected with something that then got cleaned up. The sites pointed too were also all over the world, but someone advised me that they looked to be owned by the same person/organisation.

However, our site could provide error messages when given ill-formed URLs (e.g. a Parameter expecting an INT but given a Text String), which I'm going to have a look at tightening up on.

[edited by: encyclo at 11:53 pm (utc) on Feb. 18, 2008]
[edit reason] no specifics please, see terms of service [/edit]

Don’t know if this is related or not? Seeing this new today never seen it before /cgi-bin/axs/');

'); at the end of /cgi-bin/axs/

And nothing after that. Maybe just a fluke not many hits from it
Just wondering if anyone else has the same string?
Brad

May have spoken too soon :(

A couple of quiet weeks but now it looks like the dodgy 'outgoing link' attackers are back!

Yep I see them also
They are back

And here too. :(

Anyone here any good with .htaccess ?

I've found this code (pasted below) but as it acts on the 'HTTP_REFERER' I guess that's no good.
I want to stop my out-going links being hijacked with this spam. Any idea if .htaccess is able to control this? If I could put legitimate out-going sites in .htaccess and bin the rest perhaps?

I can see this 'log spam' listed on 1000's of sites so I can see lots of people are being hit with the same problem (sorry my Google link has been removed from my earlier post so it's a bit hard for others having this problem to find this thread).

I see this type of thing in my logs (I've removed specifics as requested):

was redirected to http%3A%2F%2Fwww.dodgy-site-name.com%2Fadmin%2Fcorreo%2Fenaq%2Fecib%2F

Any ideas?

.htaccess code - can somthing similar be used to filter out-going links?

# Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(www\.)?spammersite1.com.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?spammersite2.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?spammersite3.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?spammersite4.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?spammersite5.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?spammersite6.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?spammersite7.com.*$ [NC]
RewriteRule \.*$ [some-other-website.com...] [R,L]

Update: Just seen the same problem discussed here: [webmasterworld.com...]

THis 11nwn.net is causing us a lot of problems. It brough my whole network and T1 to a crawl and knocked out my VOIP phones. I consider that malicious. When I did traffic analysus the report showed that the traffic was coming from "inside" my network on one of my fairly new WIN 2003 Servers. When I pulled the ethernet on that Server my problem went away so I considered the Server infected. Wiped and reloaded Server 2003 this AM. No other software loaded. Installed Java, ccleaner, etc. Kept the Server as a Workgroup and off the domain. Seemed ok. Joined the Server to my domain - the problem is back. Had to unlug it off the network.
Any ideas?
Thanks,
Steve