Mobile app version of vmapp.org
Login or Join
Tiffany637

: What is adding p, subid, and uid variables to the query string of a site url? One of our sites is seeing ~100 sessions a day landing on the home page with a query string like the following

@Tiffany637

Posted in: #Botattack #GoogleAnalytics #QueryString #Tracking #UrlParameters

One of our sites is seeing ~100 sessions a day landing on the home page with a
query string like the following appended:

?p=1471086892&subid=526&uid=48752857D549575A


Each one has the same value for "p" but a different "subid" and "uid."

I am trying to figure out where these variables are coming from.

I reviewed the Access Logs and Google Analytics and found that 98% of the traffic is new and the referrer is reported as our own website even though the access log indicates its the first page request for the ip.

Our site doesn't make use of these variables. Where they are coming from is a mystery.

I have explored the possibility that the variables are related to a cookie or tracking event from an ad or analytics service. I have yet to turn up evidence that corroborates this hypothesis.

The fact that it is masking or spoofing the referral makes me wonder if it is somehow botnet related. My suspicions about this grew stronger when I noticed that the traffic is evenly distributed across pages on the site; it has a uniform bounce rate and a uniform time on page of almost exactly 1 min; it is accessing minor navigation items (i.e. privacy page) at a greater frequency than ordinary; and last, there is not a common ip or user agent.

When I googled the uid portion of the query string I found other sites having the same query string with a different p value. Here are some examples:
www.aikiweb.com/index.html?p=1470451589&subid=999&uid=AE1D5F14EEC420BA http://www.kiro7.com/?p=1470425109&subid=616&uid=2D6F158100C33AEE www.fox23.com/?p=1470412751&subid=703&uid=DEF705E09B5A3DFA http://www.wpxi.com/?p=1470334006&subid=703&uid=DEF705E09B5A3DFA


So, it is not unique to us. I have looked under every stone I can think of so I am reaching out to the community for help. Has anyone run across this before? Do you have any thoughts on other things I could investigate that might turn up an answer to what is causing this?

---- 5/27/17 Update ----

We started redirecting traffic that matched the pattern to a page that contained a captcha. One month later over 6,000 sessions matching this pattern have gone to that page. None have passed the captcha. This does not appear to be human activity.

If you want to check your site's analytics for traffic matching this pattern you can use the following regex match against the landing page: p=(d{10})&subid=(d{3})&uid=([A-Zd]{16})

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Tiffany637

2 Comments

Sorted by latest first Latest Oldest Best

 

@Voss4911412

Have been seeing a large number of these as well. Recorded hundreds of hits without a single interaction on a site with a typical bounce rate of less than 10%. It's a robot.

There's no single IP but they all appear to be US based. Few weeks ago it was quite rare. Now I can get a couple of hundred hits per hour. If it's a virus, it's getting gradually bigger.

Would be keen to know if anyone has information on this.

10% popularity Vote Up Vote Down


 

@Courtney195

These are all used in tracking URLs.

A SubID is a string of alphanumeric characters generated at the end of a redirect URL, which records a user-defined variable. uid is Unique Identifier. Check if you have some affiliate program

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme