WordPress › Support » Could you ban usage of www.google-analytics.com?

Sikkin
Member
Posted 5 months ago #

Hi,

It's related with the usage of Google analytics (173.194.69.100:80) when using wordpress.org web site.
The IP packets sent back are identified (Using snort rules set) as
- GPL SHELLCODE x86 inc ebx NOOP
- Executable Code was Detected
- SID: 1390
As several Google IP addresses* (173.194.0.0/16) are regularly blocked (using IDS and IPS), viewing WordPress.org web site is very inconvenient.

* List of banned Google IP addresses because they have been identified as using unsafe codes (by IDS):
173.194.69.91
173.194.69.93
173.194.69.100
173.194.69.102
173.194.69.113
173.194.69.136
173.194.69.138
173.194.69.190
Jan Dembowski
Volunteer Mod. & Brute Squad
Posted 5 months ago #

Sorry, can who ban and what? What URL are you using that sends you there?
Sikkin
Member
Posted 5 months ago #
Hi,

Thanks for your answer.

I was visiting the WordPress plugin section and the used browser (Mozilla 8.01 - MacOS X 10.6.8) stalled showing "connecting http://www.google-analytics.com".

The http://www.google-analytics.com IP address (like several others, see my first post on this thread) is banned from our firewalls due to their IP packets identified as a threat "Executable Code was Detected".

Analysing the WordPress.org html page which allows me to post my reply, you can found
```
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
```
So, my conclusion is when I'm visiting WordPress web site, I'm receiving code from a third party (Coogle) explicitely writing by WordPress on the header section which is identified by the last Snort rules set (IDS) as a threat.

Jan Dembowski
Volunteer Mod. & Brute Squad
Posted 5 months ago #

Got it. I think that counts as a false positive. That's a legit site being referenced in WordPress.ORG's HTML for tracking purposes.

If you are really concerned about that tracking, consider installing AdBlock Plus and just block your browser's access to that domain.

When you do a whois on google-analytics.com you get this output:

Registrant:
        DNS Admin
        Google Inc.
        1600 Amphitheatre Parkway
         Mountain View CA 94043
        US
        dns-admin@google.com +1.6502530000 Fax: +1.6506188571

    Domain Name: google-analytics.com

        Registrar Name: Markmonitor.com
        Registrar Whois: whois.markmonitor.com
        Registrar Homepage: http://www.markmonitor.com

    Administrative Contact:
        DNS Admin
        Google Inc.
        1600 Amphitheatre Parkway
         Mountain View CA 94043
        US
        dns-admin@google.com +1.6502530000 Fax: +1.6506188571
    Technical Contact, Zone Contact:
        DNS Admin
        Google Inc.
        1600 Amphitheatre Parkway
         Mountain View CA 94043
        US
        dns-admin@google.com +1.6502530000 Fax: +1.6506188571

    Created on..............: 2005-07-18.
    Expires on..............: 2012-07-18.
    Record last updated on..: 2011-06-16.

    Domain servers in listed order:

    ns3.google.com
    ns4.google.com
    ns2.google.com
    ns1.google.com

The registrant MarkMonitor.com is in the business of (among other things) brand protection. It's all legit and nothing to be worried about.

Sikkin
Member
Posted 5 months ago #

> Got it.
OK, I'm happy for you ;-)
> I think that counts as a false positive. That's a legit site being referenced in WordPress.ORG's HTML for tracking purposes.
[....]
> AdBlock Plus and just block your browser's access to that domain.
Got it, thanks for the tricks, it's reduced the WordPress pages processing time (no needs to wait until the time out)

Reply

You must log in to post.

WordPress.org

Forums

Could you ban usage of www.google-analytics.com? (5 posts)

Reply

About this Topic

Tags

Code is Poetry