* The Business of Software

A former community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

We're closed, folks!

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Hourly Installs from China

Hello. I found unusual activity in my traffic logs that I thought maybe you guys have experience with. I can't understand why one IP address (in China) is installing my software every hour or two. Does that activity sound familiar to anyone here? The behavior has gone on over a 6 - 7 hour period!
Nicole Miller Send private email
Sunday, May 10, 2015
 
 
Probably a proxy server used by millions of people in China.
A really anonymous coward Send private email
Sunday, May 10, 2015
 
 
At one point I was getting masses of downloads from China, but they never installed. So I blocked all the offending IP addresses. Problem went away.
Andy Brice Send private email
Sunday, May 10, 2015
 
 
> Does that activity sound familiar to anyone here?

It could be anything, from a spotty youth trying to crack your software, a user who wrote the serial number down incorrectly and re-installs with each attempt at registering, or perhaps a computer support person installing your software on several computers at a university or school with the same gateway ip#
Billy Thorpe Send private email
Sunday, May 10, 2015
 
 
Well, all these ideas sound applicable I guess. Thanks for shedding some light!
Nicole Miller Send private email
Monday, May 11, 2015
 
 
Just checked my logs and found another 4 Chinese IPs that are downloading the Windows install of PerfectTablePlan 20+ times per days every day. But they never download anything else, install it or visit any other pages. Weird. I blocked them.
Andy Brice Send private email
Monday, May 11, 2015
 
 
Well, I think I'm going to just let it happen as it's happening in hopes that I can discover what's going on. I'll be sure to share what I learn here in this thread.
Nicole Miller Send private email
Monday, May 11, 2015
 
 
I've been noticing the last week or so that each day I am seeing consistently around 47 of my Setup EXE downloads logged but the weird thing is they are showing as all different IP addresses, but most seem to be from China. They all have one of two variations of  user agent string.
Craig A Send private email
Tuesday, May 12, 2015
 
 
I have experienced the same thing for a good year or more but it's usually hundreds of downloads per day for about a month, and then they go away.  A month later they'll be back and download a different executable roughly the same amount, and then leave again.  No idea in the world why.

What I've done is started redirecting traffic from China to my download.com listing in hopes it will inflate my numbers there ;)
I don't think it is working though...
Doug Send private email
Tuesday, May 12, 2015
 
 
I would love to know what is going on here.
Andy Brice Send private email
Wednesday, May 13, 2015
 
 
This is most curious! I speculate a few possibilities:

1. Its a poorly written web spider that keeps hitting the same urls over and over. Most web-spiders use a referrer in the http request, any hints there?

2. Somebody is trying to create traffic over a network so they are downloading lots of data from various locations. This could be to avoid filtering at their end, if the device(s) performing the filtering cant handle the traffic load they may fail open (and allow everything) rather then fail closed. I don't know if this is possible, just thinking out loud.

does goolging the IPs involved reveal anything (spam reports, whois info, ...) ?
maxr Send private email
Wednesday, May 13, 2015
 
 
LOL @ Doug. I love it!
Nicole Miller Send private email
Wednesday, May 13, 2015
 
 
@Max,

I get a (No referring link) referral for these hits. The IP is 220.181.156.195, and through your search suggestion, I found tht the IP number comes from a spider or content spammer (source: https://www.projecthoneypot.org/ip_220.181.156.195). So I guess it is some kind of bot.

Either way, since my software is English writing software, I disabled its use on non-English operating systems. That doesn't seem applicable to the situation described above, but it sure made me paranoid enough to really target my market!
Nicole Miller Send private email
Wednesday, May 13, 2015
 
 
>Either way, since my software is English writing software, I disabled its use on non-English operating systems.

That sounds a bit drastic. Also I'm not sure it is going to stop them downloading it.

Can't you just block the offending IP addresses?
Andy Brice Send private email
Thursday, May 14, 2015
 
 
I have blogged about it here:
http://successfulsoftware.net/2015/05/14/the-mystery-of-the-chinese-downloads/

Perhaps someone will read my post and shed some light on the mystery.
Andy Brice Send private email
Thursday, May 14, 2015
 
 
@Andy, I have the most basic type of hosting there is, so no blocking capabilities as of yet. :-\
Nicole Miller Send private email
Thursday, May 14, 2015
 
 
Your hosting must be really be pretty basic if you can't upload a .htaccess file.
Andy Brice Send private email
Thursday, May 14, 2015
 
 
My guess is that it is a crawler with a bug.

It gets a link, tries to follow it, but it's actually download.

So it downloads the file, times out and tries again and again.

Or it downloads the file and then re-crawls the same page again and again.

Or it could be the PLA testing their DDoS attack software.  When WWIII starts first we will disrupt their online-banking, then we'll take down the wedding-planning industry.
TomTomAgain Send private email
Friday, May 15, 2015
 
 
>My guess is that it is a crawler with a bug.

I guess that is possible, but it would be spectacularly incompetant.

>first we will disrupt their online-banking, then we'll take down the wedding-planning industry

;0)
Andy Brice Send private email
Friday, May 15, 2015
 
 
These are probably anti viruses crawlers.
When you submit your website to download sites, they provide some Clean Award  from many anti viruses. I guess that these anti viruses are daily downloading your exe file to check it. Many of them are from China.

This is my best guess.
Martin Smith Send private email
Saturday, May 16, 2015
 
 
>> When you submit your website to download sites

Just as a data point - I have not submitted to any download sites but I still see the China downloads.
Craig A Send private email
Wednesday, May 20, 2015
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz