User Profile Views - Extremely High Lately

I’m getting a crazy high number of User Profile Views lately - and I’m wondering what it means. It used to be down in the low hundreds - but the past few weeks its been up around 10,000 per day. It seems like someone is hitting them way too hard - is there any easy way to see who it is, or block them?

Hmm, did anything change in that code path recently @sam?

I don’t see any anomalous stats here on meta:

We have at least two other recorded cases of this happening:

https://meta.discourse.org/t/user-profile-views-dramatic-increase-in-count/38557?u=erlend_sh

6 Likes

Here is my “trend line” the past few months on User Profile Views:

@tgxworld we should cross correlate with kibana to see if this looks legit, in particular confirm we can count it all and that we are not counting user card expands

4 Likes

Any updates on this?

1 Like

Fixed in

https://github.com/discourse/discourse/commit/17f0727b0409ca92001c78a7b8d954c83d94121a

Only forums that are using @DiscourseMetrics.com are affected by this bug.

6 Likes

Great. Please Let us know when its been phased into the code for the discourse-hosted sites.

Thanks.

1 Like

Is there any chance that this is again an issue? I just noticed this:

My initial thought was “Probably the Who’s online plugin”, but when I view the graph the numbers were high before we installed that plugin.

Is there a way to confirm that the stats are accurate?

No repro on my sites, including this one. So something about your site. Are you using the discoursemetrics plugin, as stated above?

I just filled in the form at www.discoursemetrics.com/

He’s not using our service (yet), so no :slight_smile:

My first thought was “bot crawls”.
If you look at your dashboard stats for Traffic are the numbers for logged in, anon, and crawler similarly disproportionate?
Do you have a lot of accounts under Users - Suspect?

1 Like

Roughly 500 active users, rarely more than 50 at a time.
6 Suspect users:

We’re also seeing about 50 account registration/day on our wordpress site, but they’re spread out irregularly over time, mostly msn, gmail and yoohoo accounts.

Script kiddies?

It looks as if the high profile views are coming from anywhere it would be the anon users. I can get that some would be interested in checking out Profiles, but for numbers like you’re seeing l can’t help but think it would need to be script doing it.

My interest has been sparked, I’ll do some digging ASAP to see if there’s any way to get more data.

1 Like

I agree about the script driven. Even if we had a huge number of users with ADHD who couldn’t be bothered to login and were just looking at the site to see if something has happened we wouldn’t be getting those kinds of numbers.

You can grep trough the logs and look for patterns:

grep 'GET /users/' /var/discourse/shared/standalone/log/var-log/nginx/access.log | cut -d " " -f 3 | sort | uniq -c | sort -n | head -n 20

This should show if the source of those requests are all the same.

2 Likes

I’m just trying to get someone who has SSH access to look at it.

Would the /staff/nginx logs be of any use in the meantime?

There is a table that stores all these information :slight_smile:

In data explorer, you can run the following query to see which users are getting the most profile views:

SELECT 
  user_profile_views.user_profile_id AS user_id, 
  COUNT(user_profile_views.user_profile_id) 
FROM user_profile_views
GROUP BY user_profile_views.user_profile_id
ORDER BY COUNT(user_profile_views.user_profile_id) DESC

Another query that might be helpful is to see which IP address is generating the most views:

SELECT
  user_profile_views.ip_address,
  COUNT(user_profile_views.ip_address)
FROM user_profile_views
GROUP BY user_profile_views.ip_address
ORDER BY COUNT(user_profile_views.ip_address) DESC
7 Likes

I work with Andrew Waugh on the same Discourse site. I finally had some time to start digging into this, and soon discovered that a whole bunch of the requests came from one IP, 104.236.201.204, and that they all included our API key.

That IP belongs to Digital Ocean, and since the requests included our API key, I’m assuming this is coming from Discourse Metrics. We’ve turned Metrics off now, but here’s a redacted sample from our “outer” nginx log:

104.236.201.204 - - [31/Mar/2017:19:00:22 +0000] "GET /users/SomeUser.json?api_key=sekrit&api_username=system HTTP/1.1" 200 1343 "-" "Ruby"

We’ll see in a day or two if this makes our user profile views go down by a significant amount.

Gunnar

3 Likes