Getting weired type of traffic: (/safeview-redirect/tc_frame.html) - Urgent help

Hello there!

In my Google Analytics, I am seeing some unusual URLs which do not belong to my website.

And, I am getting a ton of these in Real time. I have confirmed of hits with my Hosting provider. They are unable to do anything. They told me to use Cloudflare. But, these traffic is still coming.

These link starts with /safeview-redirect/tc_frame.html?dt=xxxxxxxxxxx… very long include many thing and parameters.

This is one, which I have copied:
/safeview-redirect/tc_frame.html?dt=PCFET0NUWVBFIGh0bWw+&n=94289b35&furl=YWJvdXQ6c3JjZG9j&turl=aHR0cHM6Ly9nZXR2b2ljZS5vcmcvc2VhcmNoP3E9V2hhdCtpbmZyb21hdGlvbittb3N0K2xpa2VseStwcmVzZW50cythK3NlY3VyaXR5K3Jpc2srb24reW91citwZXJzb25hbA==

This add with my homepage like domain.com/safeview-redirect/

When, I open this link with my domain, they land on 404 page [Page not found].


I can’t figure out, what is going on? My hosting provider can’t.

If any of you have any knowledge about this thing, please help me.

Is it bot or fake traffic?
Is this making any login attempt or scrapping content from my website?

Additional info:

  1. CMS used by website - Question2Answer (Open source used by thousands)
  2. Hosting - AWS through some company.
  3. Location shown by Google Analytics - Boydton, Virginia, USA.

If you need any other information, I am ready to provide. But, please please help me.

I have enabled Under Attack mode (DDoS prevention) in Cloudflare.

The Bot aren’t showing more. But, downside, the visitors are getting a check for 2-5 sec.

This might get them back or may drop my core web vital score.

Anyone got some about this? Should I turn off the protection mode?

I ave same problem…

Hello there @kk3575515

Here’s the #tutorial be your aid:

If you’ve blocked the threats using WAF & other measures as in the article, you can give it a try.

Thanks @neiljay

I have check it. As I have already mentioned, these request STOP showing whenever I enable UAM (Under Attack Mode). So, I haven’t looked forward.

But, I have notice some quite strange thing, whenever I edit or post something new on my website, these Hit started to come. So, I think there could be a possibility that my content is being scrapped to post on spammy website. Another possibility may be my website is loading in some sort of frame.

Also, all the request appear to hit on same PATH /safeview-redirect/tc_frame.html, surprisingly, this path don’t exit on my website.

So, I think I should block the PATH or activate some sort of WAF.

What I mean to say is whenever there is some request on /safeview-redirect/tc_frame.html, the Cloudflare WAF simply blocks it or ask for JS challenge.

How can I implement this? well, I can using Hit and Trail, BUT, I am afraid to do on live website. Is there any tutorials on blocking hit on specific PATH?

Till now, I have done this and saved as draft. I might choose JS challenge instead of BLOCK.

Is it correct way to do this? Will it work?

@kk3575515

If that’s the case, I recommend you to check your theme/ site code/ plugins/ whatever that’s involved for malicious activity. You may need third-party help in achieving site security.

The attached #tutorial gives the hint on how to achieve it.

Its set to Block right now.

That works indeed. If I’m wrong, other members will guide you certainly or the best way to achieve it.

I’d go with Block. It’s a safe bet that your website does not have anything like that path, so it’s best to not waste any time challenging that traffic.

If you want to be more specific, then block for Path Contains safeview-redirect/tc_frame
I prefer a simpler match like you already have.

2 Likes

Hey @neiljay and @sdayman

I have implemented this firewall rule. The HIT was less than 100 per day. This is reason why I haven’t blocked, instead challenged it. Also, I am not sure what these HIT real intentions are. If it will bypass it or come in larger amount, I will directly block it.

After implementing this, I am getting almost 0 hit. There are 1,2 is still coming after 10-12 hours, may be attacker is manually loading to check because of hit being challenged.

Now, I can see, most of request are coming from MicroSoft Data center in Boydton, Virginia. Other users are getting same thing when I dig deeper. Others have reported to get spam, DDoS and other thing from same IP (52.177.249.187). You can check here, abuseIPdb.

Beside this, I am seeing this weird user-agent coming from different IP.
"userAgent": "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)"

This user-agent is also requesting same PATH /safeview-redirect/tc_frame.html BUT without any additional query (other hit have long query and parameters). I suspect like this service is checking for any update and change after sometime and notify other servers so then other major hits are coming.

Anyone have idea about this? (Full request data in JSON below)

{
  "action": "jschallenge",
  "clientASNDescription": "AS-30083-GO-DADDY-COM-LLC",
  "clientAsn": "30083",
  "clientCountryName": "US",
  "clientIP": "148.72.152.20",
  "clientRequestHTTPHost": "mydomain.com",
  "clientRequestHTTPMethodName": "GET",
  "clientRequestHTTPProtocol": "HTTP/1.1",
  "clientRequestPath": "/safeview-redirect/tc_frame.html",
  "clientRequestQuery": "",
  "datetime": "2022-10-19T00:51:25Z",
  "rayName": "75c58671ce491857",
  "ruleId": "f020a351b02e442d97e06d65d97bd00c",
  "rulesetId": "",
  "source": "firewallrules",
  "userAgent": "ias-va/3.1 (+https://www.admantx.com/service-fetcher.html)",
  "matchIndex": 0,
  "metadata": [
    {
      "key": "filter",
      "value": "152fdc9c3f484bd1b47cbcaa51d8bb69"
    },
    {
      "key": "type",
      "value": "customer"
    }
  ],
  "sampleInterval": 1
}

Upon some digging, I see: This data seems to be fetching & related to some kind of monitoring system. where the most sites that are trafficked are monitored. It also could be related to digital ads branding & publishing I assume so.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.