Misuse of the statistics script of Plesk?

Bernhard Hiller asked:

I downloaded the log file from the web server, and found many strange entries. Why is a statistics script called so terribly often? What do all the junk referrers do there? Looks like some mis-configuration of the Plesk software for managing IIS.
Literally hundreds of times a day, http://cydas.org/plesk-stat/webstat/AWStats/cgi-bin/awstats.pl?framename=mainright&output=refererpages
is called. This apge shows the referrer statistics for the web site – virtually none of them is related to Cytogenetics (that’s what the web site is about). Most of them are dubious domains.

The statistics page does not show query parameters, as they are required for a good link to YouTube. But the logs show many referrals from YouTube (most of them say: “This video is no longer available because the YouTube account associated with this video has been terminated.”, but one is still available and bears the title “Generateur de Code PaySafeCard – Gratuit Code PaySafeCard” – criminal content, I guess).

With a Google search (for “plesk awstats.pl framename=mainright output=refererpages”), I found some more web sites which are such infected, and fake “user profiles” or guest book entries which link to the statistics page.

What are your experiences with such a strange thing, how does this kind of hack work, and more important: how to prevent it?

[Edit 28 Feb 2014]The awstats.pl script provided a page with links – and everyone could add his favorite into this list: just send a GET request to any page of my site with a forged referer (any library for sending http requests allows for setting any referer), and it will then show up on the script page.

Why would you want to do so?

It is believed that you get a better rank with search engines when your site is linked from many other sites. And in fact, several “referers” contained “seo” (like Search Engine Optimization) in their domain/subdomain or page name. And many other sites were likely added by such SEO bastards.

Actually, back in 2010 a Russian web pharmacy was the first to massively use my site for that purpose.

But there is another group: they show “cheats” for games, provide links to cracked games, or even more criminal key generators. I guess they simply try to obfuscate their origin – my page is linked from somewhere, from here you get to a youtube video explaining their hack and showing a link to the next page to get the desired product.

Likely other uses are possible, but that’s the idea I’ve come up with. Since I could not find any further information on the web regarding this type of hack / website misuse, I want to share this experience here, and ask other people for their ideas about this.[/Edit]

My answer:

You have indeed discovered referer spam in your awstats logs.

And you are quite right in your assessment that they are trying to improve their own search ranking via unethical methods.

There isn’t that much you can do about it, but some things will help:

  • Never make your logs publicly accessible. This denies the spammers the benefit they are seeking, though it doesn’t directly stop these entries from being added to logs.
  • Use security measures which can detect and block referer spammers, such as ModSecurity (the Core Rule Set has some rules, some of which I originally wrote, which will block referer spam) or my own Bad Behavior. None of these are perfect and will catch everything, but they will make a noticeable dent in the traffic.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.