MicrostockGroup Sponsors

Author Topic: I got weird sudden traffic increase from Romania?  (Read 4177 times)

0 Members and 1 Guest are viewing this topic.

« on: October 09, 2015, 12:43 »
It has been a while since my last post, however,  something weird happened to my site recently which might be of interest to the ones selling images from their own sites and at the same time I would welcome inputs from your theories.

I haven't added any photos on any sites including mine for over a year. Got busy in other stuff and sort of lost a bit the interest.  Despite this, still getting $400-500 a month from approx 1200 images.

Since 2011, from my site I never got more than $5-6 every two months and according to Google Analytics never more than 4-10 unique visitors a day, however, recently, in the last 7-8 days this has jumped to an average of 60-80 unique visitors a day.

After further examination through Google Analytics, most of that traffic is from most of all the towns in Romania and they all appear to be from legit IP addresses. They all follow similar patterns to get to my site. Most of them google my name "denis pepin" and than click on one of my photos of a coyote directing them to my site landing on a secondary page called "Images in Action". Then, they click again on that coyote to see it bigger. Thereafter they flip to the next 2-3 images in that gallery an then exit.

For the last few days, this has been going on hundreds of times from diffrent towns, different computers, tablets, phones, browsers ect.. but mostly from Romania? The only differences in the pattern is the number of images being flipped after seeing that first coyote.

Of course no sales.

Not all googles from all countries can see that coyote on the first page when my name "denis pepin" is googled, however, google from Romania "" and a few other European countries can see it.

The big question is, how someone would know me and why someone would google  "denis pepin" just to see a coyote. Why not just google "coyote"

Could it be fake traffic? Could it be that a small script took control of all those computers? But why someone else would do this without any benefit?

Maybe Leaf with all his experience or someone else could shed some light. I just love puzzles. Thanks

« Reply #1 on: October 09, 2015, 17:52 »
Well, I live in Romania and havent seen you on the news here so dont think youve become an overnight sensation.

We have very cheap and very fast internet so, unfortunately, its a good place both to set up offshore/nearshore internet development businesses and to initiate hacking to attempt things like PHP email injection (to use someone else's site to broadcast spam). It may well be that your site is being explored for such potential weaknesses (I didnt check it to avoid you further worry about Romanian IP addresses!) but can take a look if you like.

I run several sites which have registration facilities and have concerted attacks on them from would-be Ukrainian and Russian spammers who use multiple IP addresses (but often within a range) apparently from different cities though probably just using proxies. Depending on your operating system there are various methods of blocking specific IP addresses, ranges or whole countries.
« Last Edit: October 09, 2015, 19:57 by douglas »

« Reply #2 on: October 10, 2015, 07:20 »
Douglas, thanks for your input. My site is powered by photodeck, hence the look of it is just a skin on top of their structure, for which, with all their expertise, would make such a scenario, such as PHP email injection, less likely but I guess, not totally impossible.

You are welcome to check if you wish.

Since my last post, a similar pattern has evolved into other european countries as well. Here below is a visitors path sample from Stacounter which is the same as Google Analytics but in a simpler format. At first, Romania visitors would google my name to access my site (like the Czech visitor did in the example below), thereafter, they would access it without the help of Google.  I did write to Photodeck support and waiting for their response.

Orange Romania ( [Label IP Address]    (0 returning visits)
10 Oct
10 Oct
10 Oct
10 Oct
10 Oct
10 Oct
10 Oct
10 Oct
07:18:29 (Exit Link)

Rcs & Rds Residential ( [Label IP Address]    (0 returning visits)
Craiova, Dolj, Romania
10 Oct
10 Oct
10 Oct

O2 Czech Republic ( [Label IP Address]    (0 returning visits)
Tabor, Jihocesky Kraj, Czech Republic denis pepin
10 Oct
10 Oct

« Reply #3 on: October 10, 2015, 14:18 »
Hi Denis
Curiosity got the better of me and I had a quick look at your site. I wouldnt mess with a photographer who can look that manic  :)

The fact that youre just skinning an established providers white label product is good on the security front but a hacker is not going to know whether its secure or not before trying, in this case, javascript injection.  Im not a hacker and really just know the basics from working for banks who often make the most basic of security mistakes.  I was able to pop up a box to display any set cookies with javascript (alert:document photodeck will know if you tell them). Either there are no cookies set or they are hidden which is even better. I would think though that, because you are using a javascript form submission, it should be possible to inject another email address into it with void(document ...). Again, photodeck will know.   

This is all pretty theoretical, youre not the Pentagon, most 'attacks' are just to pick up some email addresses or try to use your server to send, or spoof sending, their spam and you will see meaningless (other than the email address) data in your incoming contact form data which you can delete or ignore. Presumably you dont send out blanket emails to everyone who has contacted you via the form anyway.

I dont know what the double access of the site is about but, generally, thats how I can recognise these attacks/probes on my own sites, two accesses in quick succession from the same IP address. I looked for the addresses which were hitting your site but they didnt match. Poland seems to be flavour of the week for me!

I used a UK proxy with IP address beginning 37.9 if any suspicious activity shows in your logs.   
Dont think you have much to worry about but good luck.

« Reply #4 on: October 12, 2015, 10:23 »
Douglas, I did get a response from photodek regarding the unusual high traffic from Romania (and now spreading from other European countries) as per following:

Hello Denis,

This is very hard to tell, but from what you describe it does sound like
automated traffic indeed. I don't see many pages being accessed though,
that would be a tell-tale sign. It might also be that a link to your
website was posted on a Romaninan forum.

The best way to make sure is to double-check with Google Analytics if
you use it. Automated bots usually don't use Javascript and therefore
don't trigger Google Analytics.

Kind regards,

As I mentioned  I use google analytics and therefore, like you said Javascript could maybe have been used to do the automation. I presumed if I had a link posted on a Romanian forum that it would have shown in Google Analytics, but so far the source is only from google or directly. The traffic is still getting larger every few days.  I'll probably break over 150 unique visitors today, which is a record for me, 77 so far at 11:21am. Denis

« Last Edit: October 12, 2015, 10:27 by cybernesco »

« Reply #5 on: October 12, 2015, 13:22 »
I have a lot of automated traffic too, but from Unated States, different states and cities. But yesterday from Germany 16000 hits.


Related Topics

  Subject / Started by Replies Last post
2 Replies
Last post December 05, 2006, 09:16
by ichiro17
7 Replies
Last post March 13, 2007, 07:24
by mangia
7 Replies
Last post September 09, 2010, 08:01
by jbarber873
14 Replies
Last post February 06, 2013, 17:16
by jamirae
71 Replies
Last post September 24, 2015, 06:37
by dirkr


Mega Bundle of 5,900+ Professional Lightroom Presets

Microstock Poll Results


3100 Posing Cards Bundle