@dev-101 opened this issue on March 31st 2016

Hi, I run a VPS with multiple vHosts, and some of them have completely separate Piwik installations (with dedicated databases), and few others are not tracked, just websites.

To make this simple, here is the setup model:

vHost A + Piwik A with separate db (btw. this is the first, and thus, default vHost) vHost B + Piwik B with separate db vHost C (no Piwik) vHost D (no Piwik) and so on.

Now, today I have noticed something very strange in my Piwik A (vHost A) visitors log: it showed me that a visitor has visited a page from my vHost B (Piwik B) and it was logged as a valid perfectly normal visit. Needless to say that this domain is NOT a domain of vHost A, so that should never happen, right? I mean, it should be reported in Piwik B.

Then I accessed my server log, to see what this user was trying to access. And here it is:

150.70.188.181 - - [31/Mar/2016:16:48:15 +0200] "GET /piwik/piwik.php?action_name= HERE-IS-THE-EXISTING-PAGE-X-FROM-vHOST-B &idsite=1&rec=1&r=859861&h=9&m=47&s=24&url= HERE-IS-THE-EXISTING-HTTP-URL-X-FROM-vHOST-B &urlref= HERE-IS-THE-EXISTING-HTTP-URL-X-FROM-vHOST-B &_id=6a7b696b46d04eda&_idts=1459435613&_idvc=1&_idn=0&_refts=1459435613&_viewts=1459435613&_ref= https%3A%2F%2Fwww.google.com%2F&send_image=0&pdf=1&qt=0&realp=0&wma=0&dir=0&fla=1&java=0&gears=0&ag=0&cookie=1&res=1920x1080&gt_ms=429 HTTP/1.1" 204 121

As you can see, it was trying to pass a real, existing page from my vHost B website and some referrer spoofing or whatever.

Now, this probably got returned to my vHost A (as it is the default one, when you access the VPS server via IP Address), so it got recorded by Piwik A (instead of Piwik B).

Server returned HTTP 204 [NO CONTENT]

This was a single request (no other components were requested - like css, js etc.) so it was clearly a bot or some tool used there, seeking specifically for some results from Piwik.

The IP belongs to Japan Network Information Center (whoever they are).

My question: while this might be actually a very interesting anomaly that may put some suspicion to the careful admin (I have noticed this only because my vHost A website has very low traffic, otherwise, it would probably be noticed only on page reports, where a page from other vHost website would be reported) - should we somehow prevent this from happening?

Thanks

update:

I have done some server configuration modifications to prevent vHost A from being default, now this mix-up should never happen again. Still, would be nice to hear some opinions about this.

@tsteur commented on April 1st 2016

Needless to say that this domain is NOT a domain of vHost A, so that should never happen, right? ... ... - should we somehow prevent this from happening?

Technically anyone can send any tracking request for any URL to your Piwik unless disabled via this feature: http://piwik.org/faq/how-to/#faq_21077

Then only requests for your configured domains can be sent to Piwik A / B

@dev-101 commented on April 1st 2016

Hi tseur,

This seems to be what I was looking for.

Thanks.

This issue was closed on April 1st 2016
Powered by GitHub Issue Mirror