Friday, February 10, 2012

A Strange BotNet that Processes Javascript? Signature: Windows / Internet Explorer, New Unique Visitors, Direct Navigation to 1 of 3 pages (evenly divided in thirds), 100% Bounce Rate

I noticed an odd direct traffic spike in Google Analytics.
A fairly large site I monitor started seeing some suspicious traffic around Jan. 26, 2012. Google Analytics reported a direct traffic spike that I initially attributed to a media mention. When I probed into it further though I noticed some oddities. The traffic was exhibiting an overly high bounce rate (over 90%) and the traffic spike was limited to Internet Explorer users (all versions). The strange traffic was being reported as all new visitors and was limited to three pages on the site (the main page, and two pages that are off the beaten path). I setup an advanced filter for this signature and the bounce rate was nearly a 100%.

Is my site being attacked by a botnet?
At this point I began thinking it was some sort of botnet attack. The visits matching the signature were spread out geographically according to Google Analytics although they were primarily coming from Canada. Since it was just a thousand or so visits, I thought it would go away on its own. Several days later it mushroomed to 40,000 unique visits matching the signature, this time primarily coming from the US, still geographically spread out though with no dominant network source. Another oddity--the three pages being visited had a neat one third access distribution across each one. How do a 150,000 random people achieve that randomly?

But, do botnets process Javascript?
Now I am second guessing the botnet assessment. From what I've read so far, botnets don't process javascript. If it were a traditional botnet, why would Google Analytics' (and Quantcast's) javascript tracking code be triggered?


Why would a Denial of Service attack limit itself to one request?
On the denial of service attack line of thinking, I find it odd that each computer makes only one request.

Is this a new website attack?
I currently have more questions than answers. The attack / odd traffic continues. As I have not been able to find anyone else with this issue I thought I would start a post about it. Please chime in if you have thoughts, ideas, or are experiencing the same thing.  I will post back as I learn more.

---2/13/12 Update---
Traffic matching the signature is starting to subside. I've done some analysis of raw access-log files and discovered a few things:
1. IPs made more than a single request. Several sample IPs I explored made 20+ page requests a day distributed across the three urls. Each one had an empty referrer. They must not have loaded cookies because Google Analytics saw each request as a new visit.
2. Whatever was making the page requests also sent GET requests for css, js, and graphic files referenced in the page.
3. I saw two oddities in the logs when exploring IPs making requests that matched the signature:

  • One IP which made a number of calls to the pages had mixed in among mostly empty referrers this suspicious referrer: http://92zvns0kany7-zitmd.com/ (DO NOT VISIT THIS SITE) followed by a long string of numbers / characters. I did a whois lookup and found it was registered to Club Freedom, Yamir Jayantilal in India. The IP it is hosted on is in Latvia. When I did a Google search on the name server "cnmsn.com" I discovered this site that keeps a log of urls associated with malicious activity. I didn't find the specific URL but I did find a series of similar urls (i.e. wcrb8t2r06ufigd.com DO NOT VISIT THIS SITE) listed as "malware calls home." These domains were registered to the same person / club as the one I noted in the logs.
  • Another abnormal series of entries for an IP that made calls to the same pages also had entries for GET requests to: /crossdomain.xml and /text/javascript 
I am not sure how these two relate to the rest of the requests because I am not finding other IPs with the same oddities. On the other hand I am wondering if this could be some type of malware related activity. Are malware infected computers attempting to phone home to my website? I've done a comparison of the three pages to the file versions stored in our Git repository and am not finding any discrepancies. 


---2/19/12 Update---
Just when I thought I could post that the non-human traffic had officially disappeared... it returned. This time it is just hitting one of the three pages it previously hit. I added a graph above from Google Analytics showing just the traffic that matches the signature of the odd traffic.

---4/21/12 Update---
An updated on the Unidentified Non Human Web Traffic (AKA: Zombie Robots, Cyborg Attack). I wish I could report the traffic has gone away but it just won't die. Here is the latest screenshot from Google Analytics:


It appears to be somewhat cyclical.  Every three to four weeks there is a new 3 day rise in traffic that matches the pattern followed by gradual drop off and a lull. 

Other people are reporting the same odd traffic now:
One interesting solution others have used to protect advertisers from inflated impressions is to wait to load ads until  some type of user activity is detected via javascript like a mouse move.

We started capturing headers for traffic that matched the fingerprint of the pattern. Here is a sample of a few (cookie info and host removed) :

Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: www.##########.com
Connection: Keep-Alive
Cookie: #############

Accept: */*
Accept-Language: it-ch
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET 
CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: www.##########.com
Connection: Keep-Alive
Cookie: #############

Accept: */*
Accept-Language: en-ca
UA-CPU: x86
Accept-Encoding: gzip, deflate
Cookie: #############
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 
3.0.04506)
Host: www.###########.com
Connection: Keep-Alive

Common traits are that the headers are fairly simple and contain no other cookies aside from one we set as part of the traffic control process we've been using to identify and roadblock this strange traffic. Normal users tend to have a string of GA related cookies show up in the header info. I am no http header expert. If you are and see something odd about these headers let me know!

I am wishing there was some expert to turn to for unraveling this mystery. It seems some big names like Google and Microsoft as well as security / anti-virus companies and major ad networks would want to be on top of this. Unfortunately it is very difficult to reach upper level people at these companies that would recognize that this merits some review.  Something is flying under the radar that has the potential to morph into far worse than a traffic nuisance. Since it started we've had 3/4 of a million unique visitors that match the fingerprint--all of which fool traffic analysis programs into thinking it is a human request. Again, most of these are unique IP addresses spread out geographically and from a variety of networks. It is impossible to block this on the network or IP level. 

Hoping for better news to report in the next update.
Posted by PeterA at 12:38 PM 6 comments
Labels: , ,

Thursday, September 2, 2010

How to use Gmail with ACT! 2010 CRM by Sage

I helped a co-worker get Gmail working with the CRM software ACT! 2010 by Sage today. ACT! does not naturally work with Gmail. Gmail uses SSL and non standard ports for its incoming and outgoing POP and SMTP connections which are not supported by the program. There is however a work around using the program Stunnel (an SSL Wrapper).

1. Download and install the latest version of Stunnel. Use the "Windows Binaries" for installing on a machine running Microsoft Windows. The installer comes with all of the necessary files to run it. During install it will prompt you to add shortcuts to your Start Menu. This is worth doing as it gives you an easy way to start and stop the service. Default install location is: C:\Program Files\stunnel

2. Using Notepad or another text editor, edit the stunnel.conf file to have the following:
client = yes
[pop3s]
accept = 110
connect = pop.gmail.com:995
[ssmtp]
accept = 25
connect = smtp.gmail.com:465

3. Configure Stunnel to run on startup. From the the Stunnel folder added to the Programs in your Start Menu select, "Service Install." When that is complete, run the "Service Start" shortcut--also in the Stunnel Start Menu folder. Stunnel is now running as a background service and should startup automatically when you restart your computer.

4. In ACT! edit your email settings via the "Tools -> Preferences" menu item. Update your incoming and outgoing server settings as follows:
Incoming POP3 Server: localhost
Outgoing SMTP Server (SMTP): localhost
6. Finish the email setup wizard and do a send/receive to make sure it is all working.

That is it! Gmail should be setup to work in ACT! now.

You can also use Stunnel to get Gmail working with other CRM programs and email clients that don't support SSL or non standard ports. We used a smilar work around with FrontRange Goldmine: How to Setup Gmail in Goldmine
Posted by PeterA at 1:12 PM 5 comments
Labels: , , , ,

Sunday, August 15, 2010

Used Car Buying Questions

I live in a small city which means when I shop for a used car I have to drive a ways to go look at car I am interested in. After making a few hour long trips only to discover the car had a purchase stopping issue I could have discovered by phone if I had asked the right questions, I've slowly compiled a list of questions to ask about used cars.

- Is the car still available?
- Review of details and features:
- Make, Model, Year
- Mileage
- Color
- Extras that are important to you
- How many owners has the car had?
- How long has the car been on the market?
- What is the reason for sale?
- Has it been in any accidents?
- Is everything in working order? (AC, Power Doors / Windows)
- What is the condition of the upholstery and floor boards?
- What is the condition of the tires?
- Has it had any aftermarket additions?
- What mechanical work would expect the van will need in the first couple of years aside from oil service?
- Do you have service records?
- Was the work done at a dealer?
- If there are known issues this particular make / model tends to have ask about them. i.e. Has the car had any work done on its transmission?
- Has the car been owned by smokers?
- Does it have the original manuals?
- How much life is left on the tires?
- What is the condition of the upholstery and floor mats?
- Does it have a trailer hitch? (Can be a plus or minus. Cars with trailer hitches tend to have placed more wear on the transmission).
- What is the VIN?
- Are there are other parties interested in the van?
- How firm is your price? Are you willing to negotiate some?
- What is your test drive policy?

Used Car Dealer Specific Questions
- How did you acquire the car?
- What kind of work do you do to prepare cars you buy for sale?

So... its a fairly long list. I don't normally fit it all into one phone call. I first make an initial call with four or five basic questions. I call back later once I've processed the first conversation and maybe pulled a Carfax on the vehicle. If I let the seller know I am travelling a long distance to see the car, they tend to be helpful in answering the more detailed questions.

What questions do you ask before buying a used car? Please post in a comment. Thanks!

Posted by PeterA at 7:30 PM 0 comments
Labels: , ,

Monitoring Electricity Consumption - Individual appliance and whole house monitors

I spent several hours today looking at options for monitoring electricity consumption with an eye to reduce usage and save money. Here is the best information I found:

Whole house monitors:
TED 5000 (TED stands for "The energy detective)
This is the model that is compatible with Google PowerMeter. Starts at $200.

This device is sold in the US by Power Save. US version with two CT clamps and bundled with the web bridge sells for $169. This is also compatible with Google PowerMeter.

I found this TED-5000 vs. Current Cost Envi comparison review to be quite helpful.

I am currently leaning toward purchasing the Envi as it is easier to install and costs less.

I briefly looked at the Black and Decker Power Monitor but crossed it off the list since it was not compatible with Google Power Meter and also according to some reviews doesn't measure small watt increases.

Single Appliance Monitor
There are a number of products on the market that a measure the electricity usage of a single appliance. The Kill-A-Watt EZ by P3 International is the front runner. (Note: The EZ model is an improvement upon the Kill-A-Watt. Reviewers strongly recommend getting this newer version). Buy.com had the best price on the unit. I ordered it for $30 with free shipping.

Another link worth mentioning is Mr. Electricity's page with his four part answer to the question "How do I measure the amount of electricity something uses?" At the end he gives a detailed explanation of how to measure electric usage using your existing meter instead of using on of this consumer products.
Posted by PeterA at 6:44 PM 0 comments
Labels: ,

Friday, August 13, 2010

MissingSourceFile Error

I launched the webrick server to work on a Rails project today and kept getting the following error when trying to access the site via http://localhost:3000:
MissingSourceFile (no such file to load -- ./../config/../config/routes.rb)
Turns out it matters were you launch the webrick server from. I had run: ruby ./server from the script folder instead of running: ruby script/server from the rails application root folder.
Posted by PeterA at 9:45 AM 0 comments
Labels: , , , ,

Thursday, July 22, 2010

Used Honda Odyssey Minivan Shopping

In the process of looking for a minivan. I will be adding notes as I go.

First off I suggest reading this Wikipedia article all about Honda Odyssey minivans. It gives a breakout of each generation of the vehicle and also has more in depth information about the transmission issues mentioned frequently in connection with Honda Odysseys.

2001 Honda Odyssey
Recalls:

2002 Honda Odyssey
Recalls:

Reviews and Ratings:

Price Range: $5,900 - $7,000

2003 Honda Odyssey
Recalls:

Transmission Issues

From an article about the transmission problem: Honda's Unexpected Gear Shift
Of 1 million vehicles sold in the U.S. with those transmissions, Spencer said, Honda has replaced the transmissions in about 16,000, or 1.6%.
Cost to replace transmission: $3,000 - $4,000 at a Honda dealer.
Reason to replace transmission at a Honda Dealer: longer warranty on new transmission.

Motor Mount Issue
A number of consumer reviews mention they've needed to replace motor mounts around 90K miles. More information needed. May be good to ask specifically about this if you get a mechanic to inspect the vehicle prior to purchase.

Research Resources

Posted by PeterA at 7:57 AM 0 comments
Labels: , ,

Wednesday, July 21, 2010

The Ideal Rails Production Environment Log Level

I am learning all about Rails logs today. My objective is to determine the ideal log level to run a Rails Application in when it is in the Production Environment. The app currently runs in :info but this generates pretty hefty log files. We have a cron job setup to email the production.log contents every day. I've found that I tend to tune out repetitive emails--which is dangerous when it comes to server logs because it makes it easy to miss important messages when they come.

My first find in my quest was this article: Rails Logging Tips. It provided foundational knowledge of logging options as well some advanced logging pointers. I learned that the Rails log levels available to me are: debug, info, warn, error, and fatal. I also learned that Rails defaults to the "info" level when in the Production Environment. The section on Reducing Log File Size drew my attention. I decided to edit my config/environments/production.rb file to config.log_level = :warn. At first it looks like its going to do the trick, the log will only have warnings and errors in it from here out! But when I purposefully generate an application error I notice that the information logged about it is really not all that helpful. It does give me a backtrace. But I want to know what user actions caused the error so I can duplicate it (maybe this is possible with backtraces and I don't know it yet). The information I want is a timestamp and the url or request that was made resulting in the error. This information was available in the :info log level.

Next order of business, trying out all of the log levels to see if a different one will suit me better. Note: When changing log levels in your production.rb file you have to restart you application for the change to take effect. I couldn't remember how to restart my application. Our server is running Passenger. This wiki article: Restarting a Rails Application Using Passenger gave me the magic command I was looking for (touch /tmp/restart.txt).

Wow! :debug gives some pretty handy info. Including SQL statements. After poking around a bit more I decide none of the log levels do what I want. I'd like to get the information displayed in the :debug or :info log levels but only when the message is :warn or higher. I remember that the Rails Logging Tips article mentioned something about filtering log messages. Maybe I could set the log level to :info and apply some sort of filter. My Google searches on this don't turn up any promising leads. But I do happen upon a few blog posts about adding timestamps to the Rails logger. There are two different ways to do it. One way is to extend the logger class the other way is to initiate your own logger class. Apparently Rails changed up the logger in version 2.x.

How to modify the logger class in Rails 1.2.x:

How to modify the logger class in in Rails 2.x:

How to create your own custom logger in Rails 2.x

I add the lines of code to the end of my environment.rb file and voila I have timestamps. :)

I am not quite ready to jump into creating a custom logger. I am still interested in possibly filtering the :info log messages. Maybe I could get it to disregard logs for requests that return an status 200 ok.

Two more parting nuggets I dug up while researching this. How to rotate your rails logs and how to log to STDOUT when using the console.
Posted by PeterA at 1:31 PM 0 comments
Labels: , ,
Subscribe to: Posts (Atom)