homepage Welcome to WebmasterWorld Guest from 54.205.160.82
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
MSIE9 requesting */scanImageUrl and */[object]
Seeing internet explorer 9 request strange invalid urls on my websites
tomashastings




msg:4560507
 7:29 am on Apr 2, 2013 (gmt 0)

Over the last couple of weeks I've been seeing requests to /[object] and /scanImageUrl in my websites root and subdirectories.

I suspect the requests to /[object] and /subdir/[object] are because of a javascript, because with those requests the HTTP_ACCEPT header is set to: application/javascript, */*;q=0.8

The requests to /scanImageUrl have HTTP_ACCEPT set to: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5

I can't for the life of me figure out why browsers are sending these requests, I've been using the same website + javascripts for almost a year now and requests like these started popping up a couple of weeks ago.

Is anyone else seeing stuff like this?

Edit: I forgot to mention that _all_ of the requests containing [object] are from MSIE9, the requests containing scanImageUrl are from different browsers.

 

phranque




msg:4560556
 11:36 am on Apr 2, 2013 (gmt 0)

welcome to WebmasterWorld, tomashastings!


have you checked the IP addresses from which these requests are originating to see if they might be known spambots or vulnerability probes.

tomashastings




msg:4560561
 11:46 am on Apr 2, 2013 (gmt 0)

Yes I checked, the requests seem to be coming from legitimate users. At least 5 of them are IP addresses of users that have ordered from my webshop in the past.

mydogbart




msg:4560604
 1:45 pm on Apr 2, 2013 (gmt 0)

I'm seeing this on an eComm asp.net site. My guess is a browser plugin gone haywire.

"scanImageUrl" is a JS variable used in the McAfee/HackerSafe logo/trustmark display, but we don't use that. One of the many broeser security plugins?

ttomsen




msg:4560681
 6:12 pm on Apr 2, 2013 (gmt 0)

we too have been observing this issue.

It's all from IE9 and only in compatibility mode, denoted by the Trident attribute of the user agent string.

rhum1




msg:4561308
 11:41 am on Apr 4, 2013 (gmt 0)

Hello,

Me too i can see this 404 error on my logs since 5 or 6 days. My website is not in asp but in php

gfergo




msg:4562790
 6:03 pm on Apr 8, 2013 (gmt 0)

We are also receiving requests for /scanImageUrl.

They seem to be coming from IE 8 and IE 9 (both with Trident in the User Agent string).

Has anyone determined the underlying cause yet?

ttomsen




msg:4575764
 2:09 pm on May 20, 2013 (gmt 0)

I posted a question on stackexchange: [snip]

and someone responded and it points to a 3rd party addon(spyware)

here's a summary:

One of my coworkers started exhibit the symptoms (random requests for http://www.example.com/scanImageUrl from IE8), so I hopped on her computer to figure out what was causing the issue.

The problem appears to be due to a malware IE add-on called Yontoo v2.051. I doubt anyone intentionally installs the software, but, among other installers, it is bundled with "EZ Fonts" ([snip]). Disabling both parts of the add-on from IE stops the issue.

[edited by: phranque at 10:08 am (utc) on May 21, 2013]
[edit reason] links to malware, etc [/edit]

phranque




msg:4576079
 10:23 am on May 21, 2013 (gmt 0)

welcome to WebmasterWorld, ttomsen!


thanks for your help with an explanation of the issue.

phranque




msg:4576080
 10:23 am on May 21, 2013 (gmt 0)

warm welcomes all around to mydogbart, rhum1, and gfergo!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved