qq829.com: Malicious Scripts or Spam from China?

Website managers from all over the world are reporting some weird referrers from qq829.com to their sites. If you are following your site stats on a daily basis, you might have come across some peculiar and unexplained traffic from China, from a link that looks like this:

http://qq829.com/web_stat.asp?dn=domainname.com

The domain itself, qq829.com, is Chinese and linked to http://new.cnzz.com – a known spammy domain. It’s hard to make sense of the site itself. Some information about the site can be found here.

At the moment, there aren’t certain answers as for what this link is, if it’s malicious or just Splog or spam. Currently, the most helpful source of information about this, is a discussion in Google Analytics Help.

You can also follow updates on the matter with a Google search, focused on the latest results.

The links are suspicious and a bit worrisome, because no one knows for sure if it’s a script attack, simple spam or a meaningless mistake on the Chinese side (unlikely). If you own a website, make sure your files haven’t been tampered with ( I’ve checked mine and they seem untouched) and that you have a strong FTP password and/or a strong admin password (if you have a CMS).

The best solution I have located thus far is to block the Chinese IPs through the .htaccess file. The IPs change with every hit, but you can also block whole batches of IP addresses from China if you don’t fear losing Chinese traffic.

If you wish to block traffic from cnzz.com and qq829.com, AurelloSoft suggests that you insert this code in your .htaccess file (COPY WITHOUT the dashes in the last line!):

SetEnvIfNoCase Referer "^qq829" TOBLOCK=1
SetEnvIfNoCase Referer "^cnzz" TOBLOCK=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=TOBLOCK
</FilesMatch>


—–

Update #1: There’s now a claim that qq829.com provides spammers with pre-written blogs. This re-enforces the assumption that the links are spam, but there hasn’t been any serious analysis of the site or the code.

Update #2: Thus far the best solution is blocking Chinese IP addresses via the .htaccess file. See instructions above.

15 Responses to “qq829.com: Malicious Scripts or Spam from China?”

  1. Maaya says:

    thanks i had the exact issue. last 10 days i see views from qq829.com with the exact form of URL.. i think i will block it completely

  2. 1aroun says:

    They aren’t real visits at all. They harvested known statistics code (eg statcounter, xtremetracker) and the corresponding urls, and then they load the statistic image with a proxy simulating an url and spamming the log… if the stats are publicly available they get a free link. That’s what they want

  3. Scott says:

    Thanks for this article. My site went down over the weekend, and it was because someone hacked a into the index.php file. I had to do a full restore to get the site back running.

    Upon further inspection, there’s been a flurry of traffic from the qt829.com Chinese servers, and they coincide with the timestamps on my modified index.php files. So I’m sure they’re related.

    The only fix that worked for me (so far, let’s hope) is the brute force one of blocking whole batches of IP addresses from China. The AurelloSoft patch did not work for me.

    This has now happened to me TWICE. It is troubling that these hacks are persistent. The htaccess patches seem to be holding for now.

  4. matsu says:

    I got same referrer as this artcile mensions.
    Thank you for the great code snippet.

  5. A bunch of people sent me emails today reporting that AurelloSoft’s code proposed in this blog article, when added to their .htaccess file, generated a 500 error. To address the possible concerns of everybody interested: when you copy/paste that snippet of code into your .htaccess, do NOT copy the last line that contains two dashes (–), and it will work. It’s the dashes that generate the error.

    • The Shark Lady says:

      Thanks, Dimitri, I’ll add that to the post. I added those dashes just as a separator between the post and the updates.

  6. Kim says:

    Thanks. This was usefull. I’ve been getting this “traffic” about once a day, but can’t find any link on the referring page. No hacks, yet. Maybe just best to ban the ip.

  7. 1aroun says:

    I can tell you that they load “old” code they harvested because they pretend to visit urls that are currently offline. Moreover, some CaSe SenSiTive url was transformed to lowercase byt their own script. They fundamentally use some sort of botnet to load in sequence ALL resources that their harvesting bots listed as belonging to given sites.

  8. […] outlines the most current solutions to block traffic from this domain and china as a […]

  9. […] auch ihr euch vor neugierigen Sozialisten schützen wollt, seht ihr hier, wie es geht. Mal sehen, wie lange ich meine chinesischen Gäste auf meiner Seite noch […]

  10. Scott says:

    Status update: Since installing the IP block list and the AurelloSoft domain name block in htaccess, no more hits or hacks from China in over 24 hrs. Success!! Thank you again for this great article.

  11. Andrew says:

    The AurelloSoft domain ref block did not work here. I am on Godaddy, and inserting this code into the htaccess file for some reason makes it viewable to the world, and I still got a visit with it installed. ???? Spoke to other godaddy host users, and they had the same issues.

    Andrew

Leave a Reply

Your email address will not be published. Required fields are marked *