1. Home
  2. Forums Index
  3. WebmasterWorld / Website Analytics - Tracking and Logging 4:40 am May 14, 2026

Forum Moderators: DixonJones

Message Too Old, No Replies

Requests made by (what appears to be) a valid, human user are "echoed"

unusualy site traffic

         

DirigoDev

6:48 pm on Sep 22, 2011 (gmt 0)

10+ Year Member



I’ve used a proprietary tracking system for years. Basically session and page logging to a dababase. I have a strange pattern that I cannot explain. Perhaps someone here at WebmasterWorld has an answer. Here’s my issue.

Requests made by (what appears to be) a valid, human user are "echoed" by something else (same IP, request URL, query string; different cookieID, sessionID, user agent, and no referrer)

User visits the website – valid cookieID, sessionID, and BrowserType/User Agent; looks to be a normal, valid user in every respect – but each request that the “real” user makes is immediately followed by a matching request with the exact same IP, request URL and query string, but different cookieID & sessionID, different browserType/User Agent, and no referrer. Time difference is a millisecond to several milliseconds.

The “real” user’s cookieID & sessionID remain consistent from request to request, as expected, but each matching request generates a new cookieID & sessionID (so whatever it is does not maintaining a normal website session).

This behavior has been observed with several users and IP addresses, but is not common in terms of our overall site traffic. Some affected users/IPs exhibited normal browsing behavior up to a random point in time, when the strange behavior began; others have exhibited the unusual behavior consistently for as far back as we can track (so it is definitely not related to any recent code changes on our part).

What is it?

lucy24

8:02 pm on Sep 22, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



First guess (from personal experience): virus-checking doodad following along behind the human and repeating everything they do. If you post the second UA, someone might recognize it.

g1smd

9:18 pm on Sep 22, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



If the pattern had been same request, different IP, several minutes later, then we know all about that one.

Today's report looks to be malware on the customer's PC.

There's the remote possibility that it's an even more sneaky version of ISPs snooping on their customer's traffic than we have seen before.

DirigoDev

3:19 pm on Sep 23, 2011 (gmt 0)

10+ Year Member



Example 1:

[Real] Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
followed immediately by
[Echo] Mozilla/4.0 (compatible;)

Example 2:

[Real] Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
[Echo] blank/no user agent

brotherhood of LAN

3:21 pm on Sep 23, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



possibly a toolbar or add-on.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Website Analytics - Tracking and Logging 4:40 am May 14, 2026