Strange referrersites

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
huub
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Mon Sep 19, 2005 9:06 pm
Location: Berghem
Contact:

Strange referrersites

Post by huub » Fri Oct 21, 2005 5:33 pm

The past few days our site www.kossiesdesign.nl has had strange referrers visiting us. TFSforMambo shows they came from sites like:
http://www.hellopolis.com/
http://www.metatrek.com/
http://www.oasee.com/
http://www.superseas.com/
http://www.ultragamma.com/
http://www.pressace.com/
http://www.smokeynet.com/
http://www.spotego.com/
(and many more)

The strange thing is that all these sites when tried to visit them result in a page with "This account is suspended" etc.

Can anyone tell me what this is?

With a whois I found that all these sites belong to enom inc., for example:

Domain Name: HELLOPOLIS.COM
  Registrar: ENOM, INC.
  Whois Server: whois.enom.com
  Referral URL: http://www.enom.com
  Name Server: NS1.ACEBREAKS.COM
  Name Server: NS2.ACEBREAKS.COM
  Status: REGISTRAR-LOCK
  Updated Date: 06-oct-2005
  Creation Date: 06-oct-2005
  Expiration Date: 06-oct-2006
Last edited by huub on Fri Oct 21, 2005 5:44 pm, edited 1 time in total.
Huub van der Logt
www.OSDesign.nl

User avatar
Das Gurke
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 164
Joined: Sun Oct 09, 2005 2:50 pm
Location: Germany - Hamburg

Re: Strange referrersites

Post by Das Gurke » Sun Oct 23, 2005 7:15 pm

Sorry for off Topic question ...

Are you using Mambo or Joomla? I tried to install TFS for mambo into my Joomla and it just didn't work. If you are using Joomla could you give me a link to your TFS Component and Modules?

User avatar
keliix06
Joomla! Ace
Joomla! Ace
Posts: 1022
Joined: Wed Aug 17, 2005 11:46 pm
Location: Minneapolis, MN
Contact:

Re: Strange referrersites

Post by keliix06 » Mon Oct 24, 2005 6:53 pm

enom is a domain registrar. The domains don't belong to enom, they were simply registered through enom.

From what I can tell (research done on http://www.smokeynet.com/) they have a server at http://www.theplanet.com (more likely its http://www.servermatrix.com) that has probably been suspended by theplanet for abuse (spam, etc).
Doyle Lewis
BuyHTTP Internet Services
http://www.buyhttp.com/joomla_hosting.html - No Overselling Guarantee. Your Joomla site, faster.
http://www.joomlademo.com - 30 day free trial of Joomla

User avatar
kai920
Joomla! Guru
Joomla! Guru
Posts: 542
Joined: Sun Sep 04, 2005 3:59 pm
Location: Hong Kong

Re: Strange referrersites

Post by kai920 » Fri Dec 30, 2005 6:11 pm

Having similar problem here... getting weird hits from poker/casino sites... or "ddddd.com"

but when you go to those referring pages there is no mention of my site anywhere (obviously).

Wha'ts going on?

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: Strange referrersites

Post by Elpie » Sat Dec 31, 2005 1:43 am

They are probably just running scripts looking for security holes. There are loads of bots out there scanning the net. I wouldn't worry about them, but I also wouldn't be going to the sites - you won't find any listing for your site on them, but you *might* end up visiting a site that contains nasty stuff (like the current Windows exploit, for eg.)

A lot of these scripts are doing nothing more than trying to find blogs or guestbooks so they can run comment spam.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

anabolic
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Dec 30, 2005 11:45 am

Re: Strange referrersites

Post by anabolic » Mon Jan 02, 2006 3:16 pm

IIRC, one of the reasons for this kind of referrer spam is that some referrer logs are publicly accessible. So if someone can get their site's URL into the log it could make it look like your site is linking to theirs. If they do that with a lot of sites, they can boost their ranking in Google and so on.

Possibly there's also another reason, like Google perhaps giving a little weight to links from a site in its page rank algorithm. Obviously the links to a site are a much more important factor, but every little helps...

philmoz
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 246
Joined: Wed Sep 07, 2005 6:45 pm
Contact:

Re: Strange referrersites

Post by philmoz » Mon Jan 02, 2006 3:43 pm

I also noticed that there was at least one path that visually went to my site, but if mouse-overed,link  went offsite to "umsky.com/prx.php" which has something to do with proxy leeching.
(from research, http://fpl.my-proxy.com/fpl-judge.php , But do not know safety of this link)


As I am a newbie in web managment, I am not sure exactly what is going on, or how serious.

Is there anything I should/could be do to prevent this?

I have notified my host and assume they will advise.
Last edited by philmoz on Mon Jan 02, 2006 3:45 pm, edited 1 time in total.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: Strange referrersites

Post by Elpie » Tue Jan 03, 2006 2:16 am

If these are just showing in logs but aren't actually posting anything to your site or hacking in, then just don't worry about them.
Logs are always full of these kinds of referrers. They are usually just scripts that are continually cruising the net looking for sites that are insecure. They are always there, always appearing in logs.  Nothing you can do about them.

The only way to stop unwanted referrals appearing in logs is to not have your site on the Net ;)
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
kai920
Joomla! Guru
Joomla! Guru
Posts: 542
Joined: Sun Sep 04, 2005 3:59 pm
Location: Hong Kong

Re: Strange referrersites

Post by kai920 » Tue Jan 03, 2006 3:40 am

Elpie wrote: If these are just showing in logs but aren't actually posting anything to your site or hacking in, then just don't worry about them.
Logs are always full of these kinds of referrers. They are usually just scripts that are continually cruising the net looking for sites that are insecure. They are always there, always appearing in logs.  Nothing you can do about them.

The only way to stop unwanted referrals appearing in logs is to not have your site on the Net ;)
Thanks for the advice, everyone.  There is no malicious postings made (as far as I know!) so for now I will keep monitoring the logs and see what's happening...

"IIRC, one of the reasons for this kind of referrer spam is that some referrer logs are publicly accessible."

What do you mean by the above statement, anabolic? Are the logs on my site not secure?

anabolic
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Dec 30, 2005 11:45 am

Re: Strange referrersites

Post by anabolic » Tue Jan 03, 2006 6:03 am


Thanks for the advice, everyone.  There is no malicious postings made (as far as I know!) so for now I will keep monitoring the logs and see what's happening...

"IIRC, one of the reasons for this kind of referrer spam is that some referrer logs are publicly accessible."

What do you mean by the above statement, anabolic? Are the logs on my site not secure?
No, that's not what I meant - though I haven't looked at your site. I should have said 'readable' not 'accessible'. I guess the only 'insecurity' would be that, if you've made your referrer logs viewable from outside, then they make an attractive target for referrer spam - which can eat up some bandwidth.

For example, this Google search shows that lots of people are making their Awstats logs public, for some reason (I just choose Awstats at random, other stats packages are probably similar):

http://www.google.com/search?num=20&hl= ... tnG=Search

If you follow some of the links from that search, and look at the 'links from an external page' section, you'll often see lots of referrer spam from gambling and porn sites etc. So I guess maybe they got more referrer spam because their site logs were showing up in Google... though almost every site seems to get some referrer spam, whether the logs are public or not.


Locked

Return to “Security - 1.0.x”