3

One of our sites is seeing ~100 sessions a day landing on the home page with a query string like the following appended:

?p=1471086892&subid=526&uid=48752857D549575A

Each one has the same value for "p" but a different "subid" and "uid."

I am trying to figure out where these variables are coming from.

I reviewed the Access Logs and Google Analytics and found that 98% of the traffic is new and the referrer is reported as our own website even though the access log indicates its the first page request for the ip.

Our site doesn't make use of these variables. Where they are coming from is a mystery.

I have explored the possibility that the variables are related to a cookie or tracking event from an ad or analytics service. I have yet to turn up evidence that corroborates this hypothesis.

The fact that it is masking or spoofing the referral makes me wonder if it is somehow botnet related. My suspicions about this grew stronger when I noticed that the traffic is evenly distributed across pages on the site; it has a uniform bounce rate and a uniform time on page of almost exactly 1 min; it is accessing minor navigation items (i.e. privacy page) at a greater frequency than ordinary; and last, there is not a common ip or user agent.

When I googled the uid portion of the query string I found other sites having the same query string with a different p value. Here are some examples:

http://www.aikiweb.com/index.html?p=1470451589&subid=999&uid=AE1D5F14EEC420BA
http://www.kiro7.com/?p=1470425109&subid=616&uid=2D6F158100C33AEE
http://www.fox23.com/?p=1470412751&subid=703&uid=DEF705E09B5A3DFA
http://www.wpxi.com/?p=1470334006&subid=703&uid=DEF705E09B5A3DFA

So, it is not unique to us. I have looked under every stone I can think of so I am reaching out to the community for help. Has anyone run across this before? Do you have any thoughts on other things I could investigate that might turn up an answer to what is causing this?

---- 5/27/17 Update ----

We started redirecting traffic that matched the pattern to a page that contained a captcha. One month later over 6,000 sessions matching this pattern have gone to that page. None have passed the captcha. This does not appear to be human activity.

If you want to check your site's analytics for traffic matching this pattern you can use the following regex match against the landing page: p=(\d{10})&subid=(\d{3})&uid=([A-Z\d]{16})

Improve this question

2 Answers 2

Reset to default
2

These are all used in tracking URLs.

A SubID is a string of alphanumeric characters generated at the end of a redirect URL, which records a user-defined variable. uid is Unique Identifier. Check if you have some affiliate program

Improve this answer
1
  • Yes, as you note, these variables are generally used in tracking URLs. The mystery is where they are coming from. What site or service is doing the tracking? The site does not have an affiliate program. However, even if it was an affiliate program it would have a referrer value different from the root domain. They also don't appear related to Google Analytics, Google Adwords, or Google Adsense. Commented Apr 21, 2017 at 2:01
0

Have been seeing a large number of these as well. Recorded hundreds of hits without a single interaction on a site with a typical bounce rate of less than 10%. It's a robot.

There's no single IP but they all appear to be US based. Few weeks ago it was quite rare. Now I can get a couple of hundred hits per hour. If it's a virus, it's getting gradually bigger.

Would be keen to know if anyone has information on this.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.