Hello everyone,
So I am quiet concerned about this to be honest.
Been asking friends, and posted on Twitter but it looks like no one can tell me exactly what this is, and because I am thick, I need find out why this is happening.
I am trying to find out what can this be caused by, so feel free to see the open analytics.
site.
-colorsandfonts.com
So let me explain, a couple of days ago, I was looking to my side project the analytics because is popular and I was interested....
Then I saw this IP
172.16.1.19
and the IP has this URLs attached.
172.16.1.12/admin
172.16.1.19
172.16.1.12/dashboard
172.16.1.12/login
172.16.1.12
172.16.1.12/register
172.16.1.12/admin/admin/add_vaccination_details
172.16.1.12/forgot-password
172.16.1.12/admin/users
http://172.16.1.12/edit_vaccination_details/983?_token=4THJVII8ioTSeiXvU6jciRs4AzAmP1oXkaPtqtd6&id=983
http://172.16.1.12/admin/edit_vaccination_details/1150
http://172.16.1.12/admin/edit_vaccination_details/996
http://baidu.com/
http://172.16.1.12/admin/edit_vaccination_details/1308
http://172.16.1.12/admin/edit_vaccination_details/884
http://172.16.1.12/admin/edit_vaccination_details/818
http://172.16.1.12/admin/edit_vaccination_details/885
http://172.16.1.12/admin/edit_vaccination_details/948
then I this was also a referral.
cftri is something in India
and this matches with eh URLS
Then I happen to see the the raw version and it was linking to this
https://toolkit.addy.codes/
Any clue would be deeply appreciated.
Thank you in advance,
/Mike
That's very strange... I'm thinking it may be more on your web hosting side since 172.16.x.x is private and not routable over the internet.
My guess is "vs" in the vs.ctrfi.com stands for vaccine scheduler, and someone is/was trying to put up a new website to do vaccine scheduling in India and maybe they were using the same hosting provider as you and something went wrong in the host config so it sent the requests to you.
I think it'd be worth reaching out to your web hosting support and explain the situation and see if they have any ideas.
ahh welk, that's Netlify.
I could absolutely do it, why not.
Where is your app deployed ? Oh, nevermind, I saw now in a comment that it's netlify. My guess is some internal routing misconfiguration, since that's an internal IP...
yeah, ill be asking there today. Thank you Bruno!
Another option would be that the users accessing your website are behind a proxy which requires authentication for Internet access. After the user has authenticated against the proxy, a 301 will be send from the proxy containing the original requested URI:
I've seen something like in the past, but not sure if this also happens in your case.
is this also possible also when my site has no registration?
Genereally some organizations have interenet access only through firewalls, that case you may see all the company traffic as a single IP.
so you mean like an Intranet?
Yes.
I don't know exactly what your stats are tracking (just pages, or pages and assets like images), but what it looks like to me is that someone cloned your website onto a private network, and it is either linking to your actual site (they didn't edit all the links), or trying to load assets from your website (they didn't change the image src).
Well, my first thought was that they copied all the site and tracking script..
This isthe site.
Colorsandfonts.com
no images whatsoever...
There's the favicon, and the opengraph image being served from that domain.
I'm guessing your stats service can't show you requests filtered by referrer? That would tell you exactly what's being requested.
And/or if you somehow have access to the raw request logs, that would tell you what you need as well.
Does the stats service have prevention in place so people can't copy your stats website-id and feed requests in?
you can n see the RAW version, butis not saying much other thanthat weird UTM.
which it happends to be where my site is featured...
mmmmIam not quiet sure if Umami.is can do that. I could have a look.