Cheating Tool?

Anything about the script that does not fit in the other categories.

Cheating Tool?

Postby tomstopsites » 2006-03-04 03:56 pm

I've been using Aardvark Topsites PHP on my website for some time now, and have approx 400 members.

It appears that on March 2nd, something very strange happened. A group of about 10 sites received a large number of incoming unique hits, way more than could be a coincidence. One guy went from 1 unique on Mar 1, to 52 on Mar 2nd, and back down to 12 on Mar 3. ( http://blogs.tomstopsites.com/index.php?a=stats&u=185 ). Most of the effected blogs had about 50 more unique hits that normal, but just for that one day.

Interestingly enough, according to the Apache webserver log, there actually *were* about 50 incoming hits that day for each of those blogs. But here's the strange part: They're all from very similar IPs. They all resolve to: "ppp-[ip address here].toldoh.ameritech.net".

More analysis of the log file shows that whatever tool (or person) was doing this basically would go through the list of 10 or so sites he had choosen, vote for each of them from a new unique IP, wait a while, then repeat. The time stamps repeatedly show a 2 second delay between loading the "button.php" graphic, and opening the "in.php?u=" page, which shows to me that it's not a human but a script.

I'm not entirely sure what the point of posting this is, other than to let people know that there is probably a cheating script out there. I don't know if there's really any way for Aardvark to block this kind of cheating, but if there is, it would be much appreciated.
tomstopsites
Newbie
 
Posts: 3
Joined: 2006-03-04 03:15 pm

Postby tomstopsites » 2006-03-04 04:31 pm

Just to add some more info:

It's clearly a cheating script. The logs don't lie, the script would access 3 pages in a row for each site:

70.226.9.43 - - [02/Mar/2006:19:43:58 -0500] "GET /button.php?id=185 HTTP/1.1" 302 5 "http://djalmigo.blogspot.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
70.226.9.43 - - [02/Mar/2006:19:44:01 -0500] "GET /in.php?id=185 HTTP/1.1" 302 5 "http://djalmigo.blogspot.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
70.226.9.43 - - [02/Mar/2006:19:44:01 -0500] "GET /index.php?a=in&u=185 HTTP/1.1" 200 2650 "http://djalmigo.blogspot.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

The info about the computer is always the same as well, so that's surely spoofed. BTW, those three lines are repeated in my server log over and over within a few seconds of each other, with only the IP and referreing site (and u= variable) changed.

I have come up with a solution though. The script exploits the fact that 5.0 includes legacy support for the old "in.php?u=" urls, which 5.0 does not use. I believe if in.php were removed/modified, than only users using the new 5.0 code would have their unique hits counted and the script would not be able to work. This has the unfortunate side effect of forcing everyone to re-login and upgrade to the latest code on their sites, but I'm fairly sure it would work.

Any comments?
tomstopsites
Newbie
 
Posts: 3
Joined: 2006-03-04 03:15 pm

Postby tomstopsites » 2006-03-04 04:40 pm

I hate to triple post, but I have noticed something:

Wouldn't the "sid" variable on the gateway page prevent this kind of thing from happening? All of the legitimate unique hits in my webserver log show the sid variable in the URL, however, the bogus ones don't (as shown above).

Could it be possible there is a glitch in Aardvark's Topsites that doesn't require the sid variable? Or does Aardvark Topsites even use it to help deter cheating in the first place? If it doesn't, I strongly recommend that it be used in such a way, as accessing the following three pages in a row seemed to have caused a unique hit to be counted:

/button.php?id=[someid]
/in.php?id=[someid]
/index.php?a=in&u=[someid]

HOWEVER, I just tested the above and it didn't appear to work when used in with a browser. So then why did it work on Mar 2nd?

I don't remember if I mentioned this already, but I have all of the anti-cheating options turned on. I also have no mods.
tomstopsites
Newbie
 
Posts: 3
Joined: 2006-03-04 03:15 pm

Postby Jeremy » 2006-03-04 05:30 pm

if you have the gateway page turned on, it will prevent this sort of thing from happening unless the cheater gets more clever. there isn't any simple way to prevent it from happening with pageviews though, unless you just ban his ip range (as you said they were similar ip addresses). or just ask the site owner about it, maybe they would stop.
Jeremy
Supreme Diety
 
Posts: 8922
Joined: 2003-05-05 04:41 pm
Location: NJ, USA

Postby Matt » 2006-03-04 08:19 pm

This is an unusual thing to happen, this person has obviously spent alot of time making a program that will cheat on Aardvark Topsites PHP. If it also takes into account of the Gateway page it is fairly serfisticated and is probably a one off but still.
Matt
Advanced Member
 
Posts: 1248
Joined: 2003-11-18 09:46 am
Location: UK, England


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 1 guest

cron