Mobile app version of vmapp.org
Login or Join
Sent6035632

: Google Analytics - SSI/SQL Injection Exploits in Hostname Today, in Google Analytics I reviewed a list of all hostnames used to access my site. Among the hostnames I expected to see, I also

@Sent6035632

Posted in: #GoogleAnalytics

Today, in Google Analytics I reviewed a list of all hostnames used to access my site. Among the hostnames I expected to see, I also noticed a number of items that are clearly hacking attempts, such as SSI and SQL injection. For example -- I have one hostname listed as "><!--#EXEC cmd="dir "--><

I am wondering how exactly Google determines these hostnames, and where exactly the attacker may have been attempting these exploits that resulted in them being registered as hostnames in my GA profile? More so, should I be concerned at all that they are there--i.e., does the fact that they are showing up as the hostname say anything about the potential success of the attack?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Sent6035632

1 Comments

Sorted by latest first Latest Oldest Best

 

@XinRu657

I also noticed a number of items that are clearly hacking attempts,
such as SSI and SQL injection.


Unless you can confirm that these requests were issued against your webserver (and not directly at the Google Analytics tracking servers) there isn't much cause for concern here - your webserver should be dropping HTTP requests with malformed hosts like these before any SSI/SQL is evaluated.


I am wondering how exactly Google determines these hostnames, and
where exactly the attacker may have been attempting these exploits
that resulted in them being registered as hostnames in my GA profile?


Google Analytics is a data aggregation service - it does not do much parse the information passed to it (beyond GeoIP lookups on IP addresses and evaluation of user-agent strings).

Whichever Host field value is passed to the Google Analytics tracking servers (typically via the ga.js Javascript but, in the case of these requests, you can assume that the attacker is sending requests directly to the tracking servers without even visiting your site) will be stored.

It should be safe to ignore, though if this traffic shows up as a significant percentage of the traffic reported in your Google Analytics profile you may want to create an advanced segment to disregard unknown hostnames and contact Google Analytics support to see if they can't purge the bogus request data and (maybe, someday) implement some filters to address the problem of bogus and spam requests.


Does the fact that they are showing up as the hostname say anything
about the potential success of the attack?


Yes - it means that the attack was unsuccessful, otherwise the attack data would not have been stored. (Though it is likely a variety of attacks were tried - keep in mind, though, that your server wasn't the target if the attacks are focused on the Host field)

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme