Zombie Bots Part Deux – They’re Back

Zombie Bots - They're back!Way back last year, I wrote about how one of my sites was under attack by some kind of zombie robot traffic – all without referrers, all reporting IE browsers, from all over the world, just coming and coming and coming, until almost two months later on the nose, the attack stopped, as mysteriously as it started.

Well guess what, boys and girls – THEY'RE BAAAAACK!

On November 12, 2013, the same site that was hit before started showing a huge increase in direct traffic.  It was, on the one hand, very similar to the previous attack, and on the other hand, there were some important differences this time around.

Samesies:

  • The site under attack is the SAME site that was hit before – and (so far) ONLY this site has been hit.
  • Still not reporting any referrers
  • Many ISP and IP numbers from all over the world
  • All reporting Windows (XP through Windows 7 – NO Windows 8, and 95% Windows 7)
  • All reporting IE browsers (versions 8 and up)
  • Still executing javascript (as it shows up in Google Analytics, but does NOT appear to be clicking anything)
  • Still a slow drip – never so much as could be considered a DDOS, but just enough to be annoying and stand out.
  • Many of the same IP numbers come back two or three times a day.

New and Updated for 2013:

  • This time, reporting some mobile sized viewports; previously mostly laptop viewports.
  • Last time, the attack only hit the home page of the site. Now it's hitting the home page plus three taxonomy pages.
  • Last time they started big, and slowly tapered down. This time (as evidenced by the screenshot below) they started slow, and are ramping up.

Since they're hitting an AdSense site, we're now serving AdSense only to users with some kind of referrer.

It's interesting also to note that they're not hitting any taxonomy pages that were added since the last attack.

November 12, 2013

Will they suddenly stop on January 12, 2014 having completed their mission? What is their mission, anyway? The site is otherwise perfectly healthy, and performing well in all channels; there's no hacking (nor even hacking attempts) and as far as I could tell the bots weren't even trying to click on the ads (I just took them off to be safe).  I have read about some Windows viruses that hit particular sites over and over looking for some kind of remote control to tell them what to do next, but I'm pretty sure I don't have any such on this site.

Mostly I have no answers; I am just posting this because I got so many responses and emails about the last attack, I wanted to put this out there to see if anyone else was getting hit again too.

Lemme know.

Comments

  1. Jennifer Hayes says

    Yes, I noticed a 100% surge in traffic last week. Since we don’t get a lot of traffic, I thought it was just an abnormal thing for a couple of days. Today, I dug a little further and noticed it was all direct traffic, usually with one page view per visit (the homepage). All the hits are from Woodbridge. I’ve found similar problems described elsewhere but no fixes. http://www.webmasterworld.com/analytics/4420174.htm. Would love to get to the bottom of it.

    • Wish I could give you an answer, but I don’t have one. They’re still at it on the one site. Although if all the hits are from Woodbridge – are they all the same IP number? My bot traffic is coming in from all over the world. You might be able to block yours.

      • Jennifer Hayes says

        Yes, unfortunately. They are all different IP numbers… Will be interested to watch your updates!

  2. Louie Guarino says

    are you viewing your traffic in google analytics? the bots attacking my site don’t show there, they show up in my server logs and statcounter. i bought the domain and later found i had bought its bots too. before i knew that, i added adsense and would get as many as 11 clicks at a time and then they would disappear. i would constantly check and see that this was happening all day long. for example i would see 5 clicks, 2 clicks, 0 clicks, 9 clicks, 0 clicks and so on all throughout the day. i let this go for couple days so i could try and track it but couldn’t. i removed adsense before i was penalized. the bots were coming from everywhere but unlike yours they had referring URLs. I bought the site for adsense income so now its essentially useless. i have looked all over the web for a solution but have found nothing. the thing that confuses me is everyone says that their invalid clicks remain but the earnings disappear. for me the clicks and the earnings disappear. i tried the google adsense forum but nobody replied. i’m surprised there is not a lot of information on this topic, a lot of people seem to be struggling with it.

    • Ok that’s a different kind of bot – the ones that click on ads. I have those too, and I can’t find them in either StatCounter or Google Analytics. But they must be executing javascript, otherwise they wouldn’t be able to click on the ads. So I don’t know how they work; I’ve repeated asked Google for information but they won’t give me any – they just say they can identify the bots and my account is not in jeopardy. Which is frustrating, but there’s nothing I can do about it. As far as I know, there is no solution; we just have to let Google handle that kind of bot, and hope our accounts are safe.

  3. I had a site, actually I should say, I purchased a domain and never got a chance to use it because of this exact issue. The funny thing is I never published or even shared the domain name with anyone – EXCEPT when I purchased business cards for the site a week after purchasing the domain. Within 48 hours of making that purchase, this nefarious bot traffic began (to the tune of thousands per day).

    Nothing on the site except a blank index.html page, never loaded with any software of any kind, the site has had nothing and the domain was never owned by anyone else (that I can find). So what in the world lead them there? And why do they keep coming back to a blank page, it’s been almost a year now.

    I have a sneaky suspicion that my business card order triggered the whole thing, in some way. It wasn’t my domain name order, to my knowledge, because I ordered 3 other domains at the same time and not one of them has any problems. Can’t blame it on WP or Adwords b/c they never existed on this site.

    I know what you’re thinking but I didn’t use a free-for-your-personal-data business card site, I used a professional US based publisher that ‘s quite popular and that I thought was legit. Now I wonder. If you ever solve the problem, be sure to let us all know how! As it is, I can afford to let this unused site go, so I guess it’s just a lesson learned (? what lesson I dunno…).

  4. The Hacker Mind…

    I wanted to provide the community some basic insights into why this is happening, but first I must offer some basic concepts. Hackers exist in basically two forms, WhiteHat(Angels) and BlackHat(Devils). WhiteHat’s might be compelled to direct bot traffic at a website to disable their AdSense because the offending site has borrowed(stolen) content, and thus is correcting the immoral act. BlackHat’s on the other hand are disabling their competition and their ability to generate revenue, or you may have angered them in a forum/social media and now they are targeting you.

    These cyber misdemeanors are much more complex than I have described, but this should provide you a small insight into the intentions and drive of such offenses.

    If anyone is interesting in find out more about this topic, please email me at [email protected]

  5. boecherer says

    We do some basic web hosting for our clients and one of the sites has been hit with a HUGE amount of traffic of this sort. I’m talking about 500,000 page views or more – and only to the home page and they don’t wait long enough for the page to be sent in response.

    We moved the site to GoDaddy hosting for a bit and the change in IP address didn’t make a difference. We finally routed the traffic through CloudFlare.com which helped to mitigate the traffic making it to our site

    If the traffic was targeting and IP address then the traffic should have stopped when we moved to GoDaddy and since we’re hosting multiple sites on the same IP address and none of the other sites are being hammered, it must be going to the domain name.

    This has been happening for about a year now. This client of mine is using someone to do SEO and we thought she might have paid a company to generate hits to make it look better for her services, but the hits don’t even register as valid traffic and we asked her about it and she denied it. If she did do it, then I would think she would have stopped it since it wasn’t making her look any better since the hits don’t register.

    I’ve noticed in the attached image that it shows 17M regular traffic page views and only 12 unique visitors. I’ll have to investigate that since in the past, there were MANY, MANY more unique IP addresses as the source. This 12 number seems to imply that there are only 12 IP address hitting the server now which could mean that we could block those IP addresses and report them.

    Does anyone have any insight on the attached CloudFlare report?

    And Netmeg, does this sound similar to what you are experiencing? And have you gained any more insight since you posted this update last December?

    Frank

  6. Hi

    Our website is having the same issue. They are showing up in Google Analytics. And we are stumped how this happened. Looking for answers???

    • About 30000 visitors in the last 4 hours. How do we stop this? Some of the traffic came from porn sites.

      • When you say the traffic is coming from porn sites, do you mean there are links on porn sites to your site? Because that would be a different type of attack than mine.

        I don’t know of any way to STOP the attack that I have; the best I could do was kind of mitigate it a bit. I installed Piwik Analytics (which gives me IP numbers of visitors) and once I figured out the footprint I wanted to isolate (direct traffic with no referrer, only four pages affected, reports as IE browser, time on site usually less than 5 seconds) I created an advanced segment to isolate that traffic, and then I just started blocking IP numbers. After a few weeks, my .htaccess file got so big it was affecting performance, so my host gave me a little perl script to weed out the bots that hadn’t visited in a while. It’s a lot of work, and I had to abandon it for a while when my seasonal traffic got too big to handle. But stopping it? I don’t know of any way to do it. The traffic I’m getting has all the signs of coming from infected Windows PCs.

        • What you describe is similar to ours. The attack is isolated to handfull of pages. It is not just porn sites. It is any sites effected by some type of malware I believe. The way it looks like some type of evil advertising network. The clicks are showing up as legitimate traffic under Google Analytics. And when I check the source of those sites, I am not seeing the link in the source. This type of attack is not a DDOS attack although it did slow down the server somewhat. It appears to be some type of way to hurt the websites reputation. May I make a suggestion. Try doing a redirect, on the effected pages to a 404 error page or a different empty page, using htaccess and once the attack has been isolated, setup some kind of extra layer of security such as a CDN.

        • Do the following. Setup redirect on the effected pages using htaccess. Then rename the pages. Setup some type of CDN for your site as an extra level of security such as Cloudflare. They offer a free service. The solution your proposed is not a scalable one for us, as were getting 10000 visits per hour, when the attack was strongest. I posted another comment but you eraced it so I am doing shorter one. That solution worked for us.

          • Uh no. One of the affected pages is the home page, and the other three are the primary taxonomy pages. No way am I going to redirect or rename them. I actually tried Cloudflare (paid version) and it didn’t help a bit. You’re right that the solution isn’t ultimately scalable (I had to turn it off when my seasonal traffic picked up) but while there are a lot of visits, many of them are return visits and blocking those IPs brought the traffic way down – till more machines got infected. (No, I didn’t erase your comment. It probably went into the moderation)

  7. Gwen Gurley says

    Hi there. I work for a company that specializes in blocking this kind of bot traffic. I can’t speak to everyone’s problems here, but if these issues are having serious effects on your site and your ability to increase your site’s ranking you may want to seek out some sort of solution like the one we offer. My company’s name is Distil Networks. I hope you all have managed to find a way around the bot traffic one way or another!

  8. My guess is you have way more bot traffic than you figure. It’s not that difficult to spoof user agents including the most common bots. Those log files are worthless. If you really want to follow your human traffic then you’re going to have to use scripts and log specific events. It doesn’t take much. Simple session counter will do. Once you identify bot traffic vs. human traffic start limiting content to the bots then the other bot attacks will go down. I’ve had some success with this approach. You can even go as far as creating content specifically for the bots but I’ve found that It doesn’t improve traffic so what is the point.

    If anyone has any alternate solutions I’d like to give them a try.

  9. Tom Liberman says

    We experienced our first episode of this overnight, Oct 28/29, 2015. Exactly as described. Anyone else have this happening again?

  10. Been getting slammed the past 2 days (Oct 28/29 2015)… Does anyone have a full list of IP’s? There’s just too damned many by the time I isolate and block 50 or so there’s another 100 hitting me…

    • There’s no list of IPs – I’m pretty sure it’s just infected PCs, all over the world. For a while I was blocking 500 to a thousand IPs per day, but after a while I just gave up. And eventually, it went away. Sorry to hear it seems to have started up again for some sites.