How does this hack with referrers work?
-
I downloaded the log file from the web server, and found many strange entries. Why is a statistics script called so terribly often? What do all the junk referrers do there? Looks like some mis-configuration of the Plesk software for managing IIS. Literally hundreds of times a day, http://cydas.org/plesk-stat/webstat/AWStats/cgi-bin/awstats.pl?framename=mainright&output=refererpages[^] is called. This shows the referrer statistics for the web site - virtually none of them is related to Cytogenetics (that's what the web site is about). Most of them are dubious domains. The statistics page does not show query parameters, as they are required for a good link to YouTube. But the logs show many referrals from YouTube (most of them say: "This video is no longer available because the YouTube account associated with this video has been terminated.", but one is still available and bears the title "Generateur de Code PaySafeCard - Gratuit Code PaySafeCard" - criminal content, I guess). What are your experiences with such a strange thing, how does this kind of hack work, and more important: how to prevent it? [Edit]With a Google search (for awstats.pl and further search terms[^]), I found some more web sites which are such infected, and fake "user profiles" which link to the statistics page as their "home page".[/Edit]
-
I downloaded the log file from the web server, and found many strange entries. Why is a statistics script called so terribly often? What do all the junk referrers do there? Looks like some mis-configuration of the Plesk software for managing IIS. Literally hundreds of times a day, http://cydas.org/plesk-stat/webstat/AWStats/cgi-bin/awstats.pl?framename=mainright&output=refererpages[^] is called. This shows the referrer statistics for the web site - virtually none of them is related to Cytogenetics (that's what the web site is about). Most of them are dubious domains. The statistics page does not show query parameters, as they are required for a good link to YouTube. But the logs show many referrals from YouTube (most of them say: "This video is no longer available because the YouTube account associated with this video has been terminated.", but one is still available and bears the title "Generateur de Code PaySafeCard - Gratuit Code PaySafeCard" - criminal content, I guess). What are your experiences with such a strange thing, how does this kind of hack work, and more important: how to prevent it? [Edit]With a Google search (for awstats.pl and further search terms[^]), I found some more web sites which are such infected, and fake "user profiles" which link to the statistics page as their "home page".[/Edit]
I'd like to add some further thoughts about that problem. The awstats.pl script provided a page with links - and everyone could add his favorite into this list: just send a GET request to any page of my site with a forged referer (any library for sending http requests allows for setting any referer), and it will then show up on the script page. Why would you want to do so? It is believed that you get a better rank with search engines when your site is linked from many other sites. And in fact, several "referers" contained "seo" (like Search Engine Optimization) in their domain/subdomain or page name. And many other sites were likely added by such SEO bastards. Actually, back in 2010 a Russian web pharmacy was the first to massively use my site for that purpose. But there is another group: they show "cheats" for games, provide links to cracked games, or even more criminal key generators. I guess they simply try to obfuscate their origin - my page is linked from somewhere, from here you get to a youtube video explaining their hack and showing a link to the next page to get the desired product. Perhaps other uses are possible, but that's the idea I've come up with.