When I go home at night, I usually spend some time working on a non-networking related Web site (so, yes, I have no life - I work all day on a Web site, then for fun I work on another site). Last week, I noticed bandwidth consumption had jumped dramatically, from maybe 500 megabytes a day to 2.2 gigabytes a day.
"Cool!" I thought. But ad banner impressions hadn't gone up at all. And when I looked at the Analog reports, I saw something weird: The logo banner that appears on every page was getting zillions of requests, but the actual HTML pages? No increase. Huh? Why would somebody just be downloading the banner? And why were page requests from hosts in China going through the roof?
Looking at the raw server logs, I noticed that not only was somebody downloading the banner repeatedly - and from one specific domain (I have three domains off the same box), they were using the site to make requests to all sorts of pay-per-click ad-banner networks. For those of you who live for log analysis, here's one example:
www.universalhub.com 221.232.79.8 - - [01/Sep/2004:00:31:21 -0400] "GET http://www.xmlrevenue.com/s.php?keywords=DSL&username=infome
nl HTTP/1.0" 200 39857 "http://www.gbahome.com/ads/xmlrevenue.htm" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.1)"
In .htaccess, I blocked off the offending IP numbers. Like the Borg, they adapted. They switched to other numbers and kept coming. So I blocked off whole ranges of IP numbers. They switched to new ranges. I changed the name of the banner. They noticed and started downloading the new file. I *think* I finally have all the IP ranges blocked off (and with them, much of China, I guess), but I have no doubt they have more up their sleeves.
Have any of you noticed any similar activity? If so, did you do anything beyond blocking IP numbers? The one thing that does concern me a bit is the GET command in the logs - are they somehow exploiting a hole in the software I'm using (Drupal)? Any suggestions gratefully accepted!
Back to CompendiumPost a comment
