11

For the last three months I have thousands of real visitors to a single page on my website. Those visits are recorded in Google Analytics and count as page views in adsense reports, but they are fake:

  • They are not generated by spam software / prox5yy or a BOT.
  • All are real IPs from US, Canada, Europe (no spammy IP, I checked it). All my regular visitors from Africa/Asia.
  • In Google Analytics the visits recorded as direct access. Time on Page: 00:00:10 sec.
  • In adsense, thousands of page impressions, but no single click.
  • I have never advertised my website.
  • All requests method is GET.

I can't understand what is going on. I tried everything with my page before I deleted it. With Javascript I checked:

  • My page is not included in a frame or iframe.
  • My page is not opened as popup windows.
  • No page referrals at all. I checked with IIS logs and programatically.

All visitors are using MIE , 6, 7, 8, 9 only. No Firefox, Safari, Chrome, etc. My best guess was that someone was embedding my page inside a software (browser object / activex).

It was easy to delete the page and forget it, but the huge problem now is that whoever was doing this has replaced that forgotten page with my default website URL. Along with this altering I began to have other strange requests from the same style visitors (US-Europe / MSIE) to weird pages like /amgdgt/ife.html /adx-iframe-v2.html.

Any suggestions to identify what's going on?

My last explanations : A malware / trojan / bot , is using my page name as a referrer to fool advertising companies !

I found my page listed in snort.org 's log file like this : ib.adnxs.com/ptj?member=77764&size=160x600&inv_code=77142343&referrer=http://www.mywebsite.com/myoldpage.html&redir=http://ad.yieldmanager.com/st/anmember=7764%26anprice=7BPRICEBUC..

But why the requests to my website ?!!

Anyway , anybody has any idea about an Ads bot acts like this ? and how to stop it ?

Zaher
  • 161
  • 2
  • 8
  • [adx-iframe-v2.html](http://jsunpack.jeek.org/dec/go?report=1d61ec0ac567207675dbd4f556bea0c02a93fb85) appears to be related to an AdInterax "rich media advertising" Javascript widget - have you ever used Yahoo! advertising on your site? – danlefree Apr 22 '12 at 09:50
  • About the weird links in Analytics. I provide code on my website that can be used freely. Some nitwits copied the whole page, including my tracking code, for use on their website. So it appears someone is using non-existant pages, but they are on a completely different server. – pritaeas Apr 22 '12 at 10:53
  • I had never advertised my website . i noticed that this is related to advertising companies , iframe busters ! but i cant find a clue . The requests comes to my server i can see it in IIS logs . – Zaher Apr 22 '12 at 17:39

6 Answers6

5

It is a Trojan affects Windows PCs , named TROJ_OBVOD.TA or Trojan.Obvod . Discovered: July 14, 2012. This Trojan connects to the following sites to obtain a list of URLs where the malware accesses/visits for pay-per-click scheme:

{BLOCKED}3.*.in

The list contain a hundred URLs including mine .

Zaher
  • 161
  • 2
  • 8
  • So, someone made a trojan to earn you some money? ;-) – domen Sep 25 '13 at 13:15
  • Anyways, thanks for the answer. It's good to have some closure to a puzzle like that. – domen Sep 25 '13 at 13:25
  • It is real annoying puzzle , i still don't understand what is the purpose of this Trojan ! . Some PCs is still infected , but now i have like 200 hit instead of 20K per day . – Zaher Sep 25 '13 at 19:15
  • 3
    "So, someone made a trojan to earn you some money?" Seems weird at first, but after thinking about it a bit it makes perfect sense. His domain is a false lead, a red herring. If I were going to make a trojan that did something like this, I wouldn't want all the domains to lead back to me; pepper enough unwitting beneficiaries into the list of paying clients, and it's easier for those clients to claim plausible deniability. If half the people on the list don't know about it, who's to say which half is guilty? – Parthian Shot Jul 09 '14 at 20:04
4

I have a suggestion. Why don't you pick one of those web pages that gets visited by these weird visitors and that you don't use for any legitimate purpose, and replace it with a landing page that asks anyone who sees the page to provide information about how they got to that page? Perhaps you could frame it as a user satisfaction survey: (1) How satisfied are you with this site? (2) How did you get to this page? If you don't immediately get responses, you could offer a reward (e.g., a drawing for a free iPad; or a free MP3 on Amazon for each person who responds).

Another suggestion. You might enable full logging for visits to that page, and log all HTTP headers, to see if you can spot any common element in the headers.

Let me confirm a few more things. None of the weird requests have a Referer: header? That is mildly weird. Also, all of the weird requests show that visitors spend exactly 10 seconds on the page -- not more, not less, but exactly 10 seconds? That is very weird. You could probably put some Javascript on the page to log when the page is loaded and when people leave the page, to confirm if it is exactly 10 seconds. I don't know what the "exactly 10 seconds" statistic would imply, if it is true, but it seems like it might be a clue of some sort, if it is accurate.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 4
    Thanks. I tried this and more .I logged full server side headers , and full javascript client side variables including screen width and height ! , all seems to be a true valid users but no clue ,None of the requests have a referrer. I replaced it with a feedback page ... no action I replaced it with a chat script ... no action I replaced it with a popup window & pop under window that includes the chat page and feedback page , only 1 of every 1000 visitor can see the new page ( at least his explorer can see it ) but also no feedback . I replaced it with an I BEG YOU page ... no action – Zaher Apr 23 '12 at 07:11
  • About the 10 sec , it is an average in Google Analytics . – Zaher Apr 23 '12 at 07:12
2

A quick check: Use Google to see if anyone is linking to your page. Try, e.g., link:http://www.yoursite.com/yourpage.html.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 1
    Thanks , I already did this . no links , but now i found that the old page is listed in a website that log malware logs . – Zaher Apr 23 '12 at 07:22
0

To me, it sounds like your website is being attacked by some automated tools. What software do you have installed on the website? Make sure it is up to date.

Can you check your access logs to see if the requests included any strange POST or GET parameters?

Honoki
  • 211
  • 2
  • 5
  • Those attacks by automated tools are daily activities ,it comes from certain countries/proxies looking for certain pages , i have no problem with it . What we face here is another mysterious problem . – Zaher Apr 22 '12 at 07:57
  • That's not necessarily true. If the attack would be launched from compromised systems in a botnet, the IPs would be from "real" computers. If there are vulnerabilities in the pages you listed, the visits may be attempts to exploit it. – Honoki Apr 22 '12 at 16:15
  • It is normal requests , thousands of normal GET request , no querystring , no form Posts . no sql attack . just normal . – Zaher Apr 22 '12 at 17:41
  • Maybe the files are already infected, and contain malicious code. That could explain why so many requests are made (e.g. the file is used to infect other users). I guess you can find that out by checking its 'last edited' timestamp and/or scanning the file with a virus scanner. – Honoki Apr 22 '12 at 17:51
  • I've already deleted the page , the requests is still there . and there is no way to infect thousands of users . – Zaher Apr 22 '12 at 18:18
0

I've seen similar requests to my website. I have a personal theory to why they are requesting pages on your site with their own page as referrer.

If you should have a visitor statistics page with linked referrers publicly available, search engines would then also pick up these links and possibly increase the referrers page rank.

Even if there is only a low percentage of sites who share the referrers to sites, in the big picture this could increase their page rank in search engines.

This is my theory why we are seeing such traffic, and not necessarily the real reason.

Dog eat cat world
  • 5,759
  • 1
  • 27
  • 46
0

Exploit IE6 ActiveX/whatever to take a screenshot for those specific automated visitors and POST it to your server.

This may be somewhat wrong from ethics side of view, but it may work out very well.

Evgeniy Chekan
  • 798
  • 6
  • 12