14

Greetings this is my first time to post a question here so please be forgiving if I do something wrong or did not follow proper etiquette.

Here is my situation: I created a private, totally locked down, unsearchable, and password protected account and photo gallery on a popular website for hosting photos. The only way this gallery could be accessed was with a private URL and then you would still need the password (its a strong password) to see the photos. Then I sent the private link in an email to ONE person from my gmail account to their yahoomail account.

I am tracking visits with Google Analytics and I know almost all the visits, they are either my own or the person I sent the link to. Except I cannot explain 4 visits from Russia and how this person was able to find my gallery.

I was able to extract some relevant information from Analytics which I listed below. From this information, I can assume that these visits are all from the same computer, yet from 2 separate locations in Russia. Something I can't explain is why all the normal (mine and my friend's) visits have Hostname listed as the URL of the website where I posted the gallery, however, these unknown visits have Hostname listed as co.lumb.co.

Here's the info, I broke it down by city, first city is Samara and second one is Moscow:

> Location: Russia - Samara Oblast - Samara
> Date/Time: Dec 4 - (1st) 5:28am, (2nd) 12:28pm
> Sessions: 2 (1 New and 1 Returning)
> 
> Aquisition: Referral
> First Source: ilovevitaly.com
> Second Source: forum.topic57207714.darodar.com
> 
> Page URL: /
> Hostname: co.lumb.co
> Screen name: co.lumb.co/
> Second Page: not set
> Exit Page: /
> Exit Screen: co.lumb.co/
> Page title: (1st visit) Co.lumb CoOrdinates yoU (2nd visit) Co.lumb
>
> Service Provider: cjsc company er-telecom samara
> Network Domain: ertelecom.ru
> Language: ru
> 
> OS/Browser: Linux i686, Firefox 33.0
> Screen Resolution: 1366x768
> 
> ---------------------------------------------------------------

> Location: Russia - Moscow - Moscow
> Date/Time:
> 1st visit - Dec 6, 3:37pm
> 2nd visit - Dec 9, 9:36pm
> Sessions: 2 (Both Returning Visitors)
> 
> Aquisition: Referral
> First Source: forum.topic57207714.darodar.com
> Second Source: forum.topic57207714.darodar.com
> Page URL: /
> Hostname: co.lumb.co
> Screen name: co.lumb.co/
> Second Page: not set
> Exit Page: /
> Exit Screen: co.lumb.co/
> Page title: (1st visit) Co.lumb (2nd visit) Co.lumb
> 
> Service Provider: hosting telesystems network
> Network Domain: (1st visit) hts.ru, (2nd visit) ht-systems.ru
> Language: ru
> 
> OS/Browser: Linux i686, Firefox 33.0
> Screen Resolution: 1366x768
Greenwall
  • 151
  • 1
  • 1
  • 3
  • 1
    Page URL: / unless I'm mininterpreting the output, this means they reached the root of your web server, which they can do via the IP alone.. I was originally thinking about a bot that scans the entire IP address space but it wouldn't have triggered the analytics script... so maybe it's a bot that scanned your site previously and then its human operator decided to take a look out of curiosity ? –  Dec 10 '14 at 15:58
  • 6
    Once you attach to Google Analytics, it is no longer "private and unsearchable". And it appears that a link to your site made it to a forum ... – schroeder Dec 10 '14 at 18:44
  • 1
    And you're not the only one: https://wordpress.org/support/topic/a-non-existent-page-is-showing-up-on-my-analytics – schroeder Dec 10 '14 at 18:46
  • 2
    I wouldn't put too much stock in the referrals. Referer (sic) headers are often spoofed by unsavory bots to drive traffic back to those sites. – pseudon Dec 11 '14 at 02:03
  • 1
    Two possibilities I can think of for the alternate hostname: (1) under certain circumstances, host can be spoofed; (2) if you are on a shared server, access via IP address may yield another hostname on the server. Either way, you may want to dig into your web server settings, and possibly do some blocking in the server or via .htaccess. – pseudon Dec 11 '14 at 02:10
  • It seems to have started a couple of days ago - more discussion on this same subject are here and here – Uri Agassi Dec 12 '14 at 11:10
  • Hey, check out this blog post http://egenie.biz/russian-spam-traffic-from-darodar-com-co-lumb/ . The author covers traffic from Moscow and samara comming from co.lumb.com . The email of your friend and your emails are ok. They are just sending that info straight to your GA account. Simply put it's an "attack to your Google Analytics attack. And they do you so you click on link to see what's that traffic and follow it to the source. Which will lead you to a refferal link. You click it out of curiosity and the you generate revenue for them. – sir_k Jan 22 '15 at 14:16
  • Let me guess, your Google Analytics account number is 57207714. If you clicked on the link, then the spammer then knows the IP address associated with the administrator of the website of the Google Analytics account number 57207714. The redirect is a decoy. It's that simple. – William Entriken Mar 18 '15 at 18:39
  • Note that Google Analytics is not a good tool to use for intrusion detection - any serious attacker will simply block the analytics domain on their machine since it is client-side. – SilverlightFox May 13 '15 at 08:44

4 Answers4

4

There are multiple possible explanations.

  1. The first one and the most likely (especially if the secret part of your url is not that long), is plain and simple bruteforce. If you're on a popular website, it really shouldn't surprise anybody that they are being scanned in order to find some juicy hidden urls. Given the fact that they are hitting your page with another hostname, I'd guess it's a pretty credible possibility.

  2. The second one is that since you communicate with third parties on your page, your url was eventually leaked & sold (by google analytics, by the website host, etc).

  3. The third one is that at some point, either your connection to the website or your email has been sniffed. In both case, your website eventually ended on a list of urls to scan.

Community
  • 1
Dillinur
  • 468
  • 3
  • 7
  • 3
    or your friend forwarded it on. Or their email was compromised. etc... – Rory Alsop Dec 10 '14 at 15:26
  • 1
    Thank you Dillinur, and thank you commenters. I have good reason to believe the email to my friend was sniffed or otherwise compromised. Is there any way to test or find out if it was compromised on my end or my friends, or if it was sniffed somewhere in between? I use gmail from a browser and my friend uses a mail program to read their yahoomail. What can I do to secure my emails and prevent this? Can I use gmail's secure mail plugin for chrome to send encrypted email to a yahoomail account? Would that work? What else can I do? Thank you very much for taking the time to help! – Greenwall Dec 11 '14 at 07:26
  • 1
    The emails are ok. They are targeting his Google Analytics account. Apparently it's quite common. – sir_k Jan 22 '15 at 14:24
2

This is so called referrer spam. The spammer hit your Web property by trying property IDs randomly. This type of spam doesn't require intrusion into your site or your Google account. It doesn't even require sending requests to your site. For more background and solutions to filter out these fake page views, see the following article:

http://veithen.github.io/2015/01/21/referrer-spam.html

Andreas Veithen
  • 163
  • 2
  • You are correct. More discussion here. http://www.blackmoreops.com/2014/12/19/darodar-com-referrer-spam/ – EdgarT Oct 05 '15 at 06:25
1

There are several harmless possible explanations for this.

If your website recently got a new IP address, it's possible that some misconfigured DNS or browser is set to cache the name for too long and is redirecting a website that used to be in your IP address to you. The visitor from that area probably tries to visit another website, and their browser receive your machine's IP address that used to belong to the other website.

Another possibility is that if you are sharing your IP address with another server, which is common in virtual hosting scenario, a misconfigured server could be redirecting the wrong traffic to the wrong virtual host.

Or it may just be Internet Background Noise.

Lie Ryan
  • 31,459
  • 6
  • 70
  • 94
  • 2
    After more research, I think it's been decided that this is referer spam, the wordpress thread on this was very helpful: https://wordpress.org/support/topic/a-non-existent-page-is-showing-up-on-my-analytics/page/2 – Greenwall Dec 13 '14 at 05:27
1

Unbelievable, apparently these redirect to affiliate links, I noticed the same thing in my referrals and followed the link (incognito) and got a redirect to an aliexpress affiliate link.
And I am not alone, read this: http://www.sudorank.com/guide-how-to-block-darodar-referral-spam-to-your-website/ this guys got an amazon affiliate link.

So maybe this is a rather clever/bizarre experiment in tricking people to follow affiliate links.

So the way it works is that they make significant number of request with that referral to your website, then they will show up in your stats, you will be curious to see where is all these new traffic coming from and follow the link and baaam, you get the cookies and make them a bit of money :)

Ali
  • 733
  • 1
  • 10
  • 18