What the Heck is qq829.com?

| April 19, 2010

This weekend I noticed a few odd entries in my web traffic stats. There were multiple visits from several addresses in China. While the hits came from various cities in China, the one thing they all had in common was the weblink. The link came from an address that looked something like this:

www.qq829.com/web_stat.asp?dn=www.websitename.com

Of course websitename.com was the actual domain name of the blog or website they were visiting.

After seeing a few of these weird entries, I did a little snooping around. I found a thread on the Google Analytics forum regarding these odd entries. Apparently I’m not the only one getting such visits. This web address seems to be linked in some way to a site call cznn which has been known to distribute malware. This is not something I want attached to any of my blogs.

Temporary Fix for the qq829 Situation.

At first, I tried banning the IP addresses. That proved to be an exercise in futility because the IP addresses never seemed to be the same. Through the Google conversation, I found the AurelloSoft site. They specialize in computer security and they recommend blocking these visits by modifying the .htaccess file on the website/blog’s server with the following code:

I removed the code from this post because the code wouldn't display properly. To get the correct code, visit the AurelloSoft Website.

I entered the code on all of my sites. Hopefully it’s working, because I still see the same weird www.qq829.com entries. Although seeing the entries means that the attempts are still being made. It doesn’t mean that they’re getting in.

Take Preventative Measures

If you are not in the habit of checking your visitor stats, give them a look see. You might want to place the above code in your .htaccess file to be on the safe side.

Just another little something to keep us all busy.

UPDATE: I took it one step further. After looking at the source code from the URL of one of the unwanted visitors and finding words such as “net user hacker” and “net localgroup administrators hacker” and “Administrator Guest hacker,” I decided to step things up a bit.

Until this whole mystery is solved I have blocked all visitors from China. I used the .htaccess method as recommended by the Parkansky website  (actually, I am currently using both .htaccess methods).

Tags: , , ,

Category: Blog, Maintenance, Scams

About the Author ()

Felicia A. Williams is a freelance writer and blogger. She spends the majority of her time with her family and writing. If she's not writing or commenting on NJFM, she's either outside smelling the roses or writing articles for one of her other sites.

Comments (12)

Trackback URL | Comments RSS Feed

  1. Ignatius says:

    The current consensus about this on the Google Analytics forum seems to be that it is a variation of Trojan Adclicker. It is apparently on the computers of website visitors. That is why blocking China isn’t working for everyone–the website is in China, but infected computers are located in other areas as well. The fact that you see it in your website logs does not appear to mean that your computer or your website is infected.

    I’m definitely not claiming any expertise on this subject, but the Google Analytics discussion thread has some useful links to security sites as well as a Hubpages article that summarizes some of the information in plain English.

    Here’s a link to the discussion:
    http://tinyurl.com/2bvh79j
    The relevant discussion is dated April 20 and 21. However, more information may be added to the discussion at a later date.

  2. AurelloSoft says:

    Hello,
    I wanted to inform you, I updated the .htaccess block script, and it is now working properly.

    RewriteEngine on
    # Options +FollowSymlinks
    RewriteCond %{HTTP_REFERER} cnzz.cn [NC,OR]
    RewriteCond %{HTTP_REFERER} qq829.com [NC]
    RewriteRule .* – [F]

  3. Shannon says:

    I’ve never looked at my traffic stats in depth, because my site is only 9 months old and gets little traffic. But recently I reached #1 on Google for a specific keyword and traffic jumped. It’s an exciting breakthrough — only now I’m worried about hackers and spammers and “qq829.com”! Thanks, Felicia 🙂

    But, seriously, thanks for the alert — especially the AurelloSoft and Parkansky fixes. I’ll check them out. I wonder if there are any WordPress plugins we should be using, as well, for added security.
    .-= Shannon´s last blog ..How to Never Buy Gift Wrapping Supplies Again =-.

  4. Boloo says:

    I´m trying it but it´s not working.

    I still gave accesses from China
    .-= Boloo´s last blog ..El Gurú del Social Media =-.

    • Felicia says:

      Boloo: Unfortunately, it’s not a foolproof method, but I’ve noticed a sharp drop in my China traffic. Are you sure you inserted the code in your .htacess file correctly?

      Shannon: I’m not sure if there’s a WordPress plugin that will handle this situation. I use WP-Ban for repeated spammers, but this qq829 is a whole different animal.

  5. Ignatius says:

    I haven’t been hit by this problem, but I did start doing a little research after reading this. If any of you have clicked on the qq829 links, they may have put a cookie on your computer. Given that it doesn’t appear to be a reputable site, you might want to check the cookie file on your computer and delete any from them. The Google Analytics discussion indicated that the cookies the writer found had “qq829.com” listed as the first part of the text for each cookie.

  6. Elizabeth says:

    Thanks for the heads up. It’s a shame we have to constantly look over our shoulders for the next threat.
    .-= Elizabeth´s last blog ..Suite Writers Now Accredited to Write Google News Articles =-.

  7. Deanna says:

    Thanks for the heads up. I haven’t seen that in my traffic yet but will be on the lookout for it. 🙂
    .-= Deanna´s last blog ..Associated Content’s Featured Contributor Program =-.

  8. Allison says:

    I’m going to check my blogs right now! Thanks for the heads up Felicia. Hopefully this will shed some light on these creeps.
    .-= Allison´s last blog ..2010 Missions Trips for Youth and Teenagers =-.

  9. workfromhomejunkie says:

    Wow. That’s pretty scary. I hope you get things straightened out.
    .-= workfromhomejunkie´s last blog ..Resources for Freelance Writers =-.

  10. Tiffany says:

    I noticed incoming links from qq829.com on my site as well yesterday, and they had me perplexed as well. My boyfriend suggested it may be a scam where they make it look like I’m receiving all kinds of traffic from their site so I’ll go and visit them to figure out who they are–basically a trick to gain them more traffic.

    I don’t know what the case is, but I’m checking out the links you’ve added. Thanks for shedding light on this bizarre situation. I’m glad to see I’m not the only one.
    .-= Tiffany´s last blog ..It’s Tax Day! =-.