Author Topic: I got weird sudden traffic increase from Romania? (Read 5182 times)

cybernesco · « **on:** October 09, 2015, 12:43 »

It has been a while since my last post, however, something weird happened to my site recently which might be of interest to the ones selling images from their own sites and at the same time I would welcome inputs from your theories.

I haven't added any photos on any sites including mine for over a year. Got busy in other stuff and sort of lost a bit the interest. Despite this, still getting $400-500 a month from approx 1200 images.

Since 2011, from my site I never got more than $5-6 every two months and according to Google Analytics never more than 4-10 unique visitors a day, however, recently, in the last 7-8 days this has jumped to an average of 60-80 unique visitors a day.

After further examination through Google Analytics, most of that traffic is from most of all the towns in Romania and they all appear to be from legit IP addresses. They all follow similar patterns to get to my site. Most of them google my name "denis pepin" and than click on one of my photos of a coyote directing them to my site landing on a secondary page called "Images in Action". Then, they click again on that coyote to see it bigger. Thereafter they flip to the next 2-3 images in that gallery an then exit.

For the last few days, this has been going on hundreds of times from diffrent towns, different computers, tablets, phones, browsers ect.. but mostly from Romania? The only differences in the pattern is the number of images being flipped after seeing that first coyote.

Of course no sales.

Not all googles from all countries can see that coyote on the first page when my name "denis pepin" is googled, however, google from Romania "google.ro" and a few other European countries can see it.

The big question is, how someone would know me and why someone would google "denis pepin" just to see a coyote. Why not just google "coyote"

Could it be fake traffic? Could it be that a small script took control of all those computers? But why someone else would do this without any benefit?

Maybe Leaf with all his experience or someone else could shed some light. I just love puzzles. Thanks

douglas · « **Reply #1 on:** October 09, 2015, 17:52 »

Well, I live in Romania and haven’t seen you on the news here so don’t think you’ve become an overnight sensation.

We have very cheap and very fast internet so, unfortunately, it’s a good place both to set up offshore/nearshore internet development businesses and to initiate hacking to attempt things like PHP email injection (to use someone else's site to broadcast spam). It may well be that your site is being explored for such potential weaknesses (I didn’t check it to avoid you further worry about Romanian IP addresses!) but can take a look if you like.

I run several sites which have registration facilities and have concerted attacks on them from would-be Ukrainian and Russian spammers who use multiple IP addresses (but often within a range) apparently from different cities though probably just using proxies. Depending on your operating system there are various methods of blocking specific IP addresses, ranges or whole countries.

cybernesco · « **Reply #2 on:** October 10, 2015, 07:20 »

douglas · « **Reply #3 on:** October 10, 2015, 14:18 »

Hi Denis
Curiosity got the better of me and I had a quick look at your site. I wouldn’t mess with a photographer who can look that manic

The fact that you’re just skinning an established provider’s white label product is good on the security front but a hacker is not going to know whether it’s secure or not before trying, in this case, javascript injection. I’m not a hacker and really just know the basics from working for banks who often make the most basic of security mistakes. I was able to pop up a box to display any set cookies with javascript (alert:document – photodeck will know if you tell them). Either there are no cookies set or they are hidden which is even better. I would think though that, because you are using a javascript form submission, it should be possible to inject another email address into it with void(document ...). Again, photodeck will know.

This is all pretty theoretical, you’re not the Pentagon, most 'attacks' are just to pick up some email addresses or try to use your server to send, or spoof sending, their spam and you will see meaningless (other than the email address) data in your incoming contact form data which you can delete or ignore. Presumably you don’t send out blanket emails to everyone who has contacted you via the form anyway.

I don’t know what the double access of the site is about but, generally, that’s how I can recognise these attacks/probes on my own sites, two accesses in quick succession from the same IP address. I looked for the addresses which were hitting your site but they didn’t match. Poland seems to be flavour of the week for me!

I used a UK proxy with IP address beginning 37.9 if any suspicious activity shows in your logs.
Don’t think you have much to worry about but good luck.

cybernesco · « **Reply #4 on:** October 12, 2015, 10:23 »

Douglas, I did get a response from photodek regarding the unusual high traffic from Romania (and now spreading from other European countries) as per following:

Hello Denis,

This is very hard to tell, but from what you describe it does sound like
automated traffic indeed. I don't see many pages being accessed though,
that would be a tell-tale sign. It might also be that a link to your
website was posted on a Romaninan forum.

The best way to make sure is to double-check with Google Analytics if
you use it. Automated bots usually don't use Javascript and therefore
don't trigger Google Analytics.

Kind regards,
J-F

As I mentioned I use google analytics and therefore, like you said Javascript could maybe have been used to do the automation. I presumed if I had a link posted on a Romanian forum that it would have shown in Google Analytics, but so far the source is only from google or directly. The traffic is still getting larger every few days. I'll probably break over 150 unique visitors today, which is a record for me, 77 so far at 11:21am. Denis