0

Google Analytics recently started showing PHP scripts as referrers to my website, for example: localhost/index.php

EDIT: This is a recent surge in activity coming from India. It is not coming from our own services, such as our web host, or a backup service. It is also coinciding with spam users on my websites from India, so I know this is intentionally malicious behavior.

Any suggestions on how to investigate further and prevent it? We are running on Django, hosted on AWS, if that helps.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
kilgoretrout
  • 1
  • 4
  • Are you sure that referer link is not from any of your backup website running in your localhost? your website is running on which platform? is it CMS like wordpress or your own code ? – Anto Dominic Feb 13 '15 at 17:21
  • Thanks Anto, updated my original post to answer your question. – kilgoretrout Feb 13 '15 at 17:25

3 Answers3

0

If the server have subnet or the server is on your system it may cause that kind of referrers if request from the subnet.

winston86
  • 159
  • 1
  • 8
0

If you have a website that is externally accessible, then yes- someone is trying to hack your website... and every other website in existence. It's a fact of life.

Your localhost referrer is not necessarily indicative of malicious behavior, however. It's more likely that your dev instance, or someone else's dev instance of their site with links to your site, is creating the entries in your analytics.

However, if it's a referer with a link to another site in the querystring, then what you're falling victim to is referer spam attempts. If you want to prevent them, you can block them via htaccess if you're running on Apache, or via web.config if you're running on IIS. Just replace the pertinent bits regular expressions, or better yet, add to them.

Community
  • 1
  • 1
joelmdev
  • 11,083
  • 10
  • 65
  • 89
0

Well, In case of Django if somebody from your team is running a development version of your application with the Google Analytics tracking code, then things like this can show up. Not only will localhost show up in your Referrers, but your aggregate metrics like Bounce Rate, Time On Site, Conversion, and others will be incorrect because the unusual behavior of a developer's will be mixed in with that of normal users and skew our results. There are basically 3 steps to fix it :

Add a Google Analytics exclusion filter

1) Open Google Analytics and choose your property view.

2) Navigate to Admin.

3) Click on Filters under the View column.

4) Click on New Filter.

5) Create a new "Predefined filter" which excludes traffic to the "localhost" hostname. This should look like this

Edit: Configure ALLOWED_HOSTS in Django settings

This is a security measure to prevent an attacker from poisoning caches and password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header, which is possible even under many seemingly-safe web server configurations. Django 1.5 introduced the allowed hosts setting that is required for security reasons. A settings file created with Django 1.5 has this new section which you need to add:

ALLOWED_HOSTS = [
    '.example.com',  # Allow domain and subdomains
    '.example.com.',  # Also allow FQDN and subdomains
]

Add your host here like ['www.antodominic.com'] or ['*'] for a quick test, but don't use ['*'] for production.

Hope this helps ...!! Cheers.. :)

Anto Dominic
  • 512
  • 5
  • 12
  • Thanks, we use these filters for our office IP addresses. However, the issue I'm referring to is not from our own developers, they're from hackers overseas. – kilgoretrout Feb 13 '15 at 17:50
  • have you configured ALLOWED_HOSTS in Django properly ? Since you said possibility of a hacker, maybe someone is trying to scrape your data or in worse case trying to hack the site. So you can block localhost using allowed host settings... – Anto Dominic Feb 13 '15 at 18:04
  • Yes we are using ALLOWED_HOSTS, and many other best practices in Django. – kilgoretrout Feb 13 '15 at 18:24
  • Remember adding allowed hosts recently doesn't remove the already recorded previous referrals in analytics. Are the referral issues sited even after you added ALLOWED_HOSTS ? – Anto Dominic Feb 13 '15 at 18:44
  • Yes, after. They are extremely recent, and the Django config has not changed in months. – kilgoretrout Feb 13 '15 at 19:18