Strange referrer


Noticed a few days back that all of a sudden that top of this sites stats everyday seemed to from this weird address I hadn’t heard of before…

Now being the curious type I started to wonder what it was all about – Alfie – but being the suspicious type I didn’t just click it, like a number of folks seem to have done, to find out, but a quick Google and up comes a number of sites where people are asking the same questions. Where’s it from and what’s it doing.

So a quick squizz at this Google analytics forum thread, looks to have some answers. China is the answer to the first question but is it just old fashioned referrer spam or is it something more malicious. Well it may look like it’s a good job that I didn’t click the link to check. Much talk of malware. More details on what precisely… seems that this may be a new variant of trojan.adclicker, as reported by Threatexpert, which places cookies on the user’s computer then generates false hits on various websites and displays malicious adverts over the top of a website’s pages…

It is also believed that if a webmaster clicks on the link via their logs, it displays the animated graph and possibly tries to download malicious software onto their computer. Some webmasters have also reported changes to their website upon noticing this traffic such as php-injections. HubPages

…great. A quick look through the files on the site with FileZilla to see when they were modified to find any anomalies, thankfully nothing looked out of the ordinary.

So what to do about it well the IP address isn’t static so individual banning is out of the window, could of course ban the whole of China, but is that overkill some Chinese folks out there might be interested in the crap posted here – I said might be – and my .htaccess file is big enough as it is.

So in the Google thread there’s a post from AurelloSoft suggesting the fix of placing the below in the.htaccess file.

SetEnvIfNoCase Referer "^qq829" TOBLOCK=1
SetEnvIfNoCase Referer "^cnzz" TOBLOCK=1

<filesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=TOBLOCK

I did this but the hits kept coming, until someone pointed out that it works if you put it before the WordPress code in the file and since I did that it does look to have worked. No mention in the referrers stats since.

If it doesn’t work for you AurelloSoft have another possible solution, again for the .htaccess file of…

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} [NC,OR]
RewriteCond %{HTTP_REFERER} [NC]
RewriteRule .* - [F]

So if you’ve got the site showing up in your stats – the bit will be replaced by your site domain – then don’t click it and get blocking the bastards…

Leave a Reply

Your email address will not be published.

Required fields *

This site uses Akismet to reduce spam. Learn how your comment data is processed.