Why do bots probe for Koko Analytics?

  • Resolved TheWatcher2

    (@thewatcher2)


    2 years, 5 months ago

    When reviewing the live traffic on my website, I have noticed that bots are continually probing for the Koko Analytics plugin within WordPress:

    https://endtimestruth.com/wp-content/plugins/koko-analytics/assets/dist/js/script.js?ver=1.0.29

    I have even tried uninstalling Koko Analytics but the bot probing still continues with hundreds of attempts every day to get to this URL.

    Is this a normal function for bots that have found the Koko Analytics’ installation within WordPress or are they probing for a vulnerability in the plugin? I don’t see these probes occurring with other plugins.

    I hesitate to reinstall Koko Analytics until I can determine what is going on.

    Thanks,
    Greg

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Danny van Kooten

    (@dvankooten)

    Hello Greg,

    That is interesting.

    Can you please share exactly what is happening, eg a small dump of your access log of whatever you’re using to see this file being requested a lot more than is normal for your website? If you want, you can share it privately with us through our email address [email protected].

    There haven’t been any discovered vulnerabilities in Koko Analytics and obviously I am not aware of any right now either.

    One thing I can think of is that these are bots trying to get referrer spam into your dashboard page. Do you see a lot of weird URL’s in your list of referrers by any chance?

    Thread Starter TheWatcher2

    (@thewatcher2)

    Hi Danny,

    Thanks for the quick response. I’ve attached below an activity detail from the live traffic feed seen using the Wordfence Security plugin for WordPress. Every bot probes for the exact same URL within the /wp-content/koko-analytics/ folder. There have been several probes of this URL over the past hour originating from different IP addresses (all bots). Note that I’ve set up a redirection to the homepage for any bots trying to get to this URL, so you can see that they were redirected.

    Please let me know what you think.

    Thanks!
    Greg

    Activity Detail
    Carrollton, Texas, United States left https://endtimestruth.com/end-times-chronology/ and was redirected when visiting https://endtimestruth.com/wp-content/plugins/koko-analytics/assets/dist/js/script.js?ver=1.0.29
    6/2/2022 11:27:58 AM (13 minutes ago)
    IP: 47.183.195.117 Hostname: 47.183.195.117
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15

    Plugin Support Lap

    (@lapzor)

    Isn’t it that any bot visiting any page on your site and loading JS on that page would also try to load the koko analytics script, and then be redirected? J

    Thread Starter TheWatcher2

    (@thewatcher2)

    Currently, Koko Analytics is not installed. I uninstalled it when I noticed this activity from bots. So if I’m understanding what you are saying, this is a typical probe by bots if you have Koko Analytics installed?

    And now I see where this is coming from. I reinstalled it on one of my sites and this src is seen in the head related to “koko-analytics-js”.

    That’s all I wanted to know. Thanks for your help!

    Greg

    • This reply was modified 2 years, 5 months ago by TheWatcher2.
    Plugin Support Lap

    (@lapzor)

    While you may have deleted the plugin, it seems that the link to the script is still included in all your pages, most likely because of server caching.

    So when I, or you, or anyone else, including bots, visit any page on your site, the script is still included in the page and our browser will try to load it.

    Here is a screenshot that shows the script is still included on your site for all visits: https://i.imgur.com/7kqdFJz.png

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Why do bots probe for Koko Analytics?’ is closed to new replies.