What user agent and IP are you seeing?

Just how is this done? How can meta tags be directly requested and not the document itself? What does the log entry look like?

Been a while since I looked in detail at web logs...
but here is one of the examples - I have had lots on various pages across a number of sites.

2016-12-15 21:13:03 10.240.0.3 POST /As+perguntas+mais+frequentes+que+recebemos+aqui+no+the-rest-of-the-meta-description 80 - 177.45.94.83 Mozilla/5.0+(Windows+NT+6.0)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/49.0.2623.112+Safari/537.36 http://www.example.com/example.htm 404 0 2 421

And another

2016-12-12 16:30:04 10.240.0.3 POST /As+perguntas+mais+frequentes+que+recebemos+aqui+no+the-rest-of-the-meta-description 80 - 201.62.54.72 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/54.0.2840.99+Safari/537.36 http://www.example.com/example.htm 404 0 2 468

Looks like amateur messed up referer spam from Brazil - it's a "POST" request, not "GET"

Not so sure that it is just Brazil as other language sites also receiving same kind of log entries.

2016-11-10 12:51:59 10.240.0.3 POST /Les+questions+les+plus+fréquentes+the-rest-of-the-meta-description 80 - 176.140.232.76 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/49.0.2623.112+Safari/537.36 http://www.example.com/example.htm 404 0 2 171

Note example.com in this entry is a different site

It looks like it could be something to do with certain versions of Chrome

The IP was Brazil, that's why it was mentioned. This 176.140. IP is from France, but it also is a "POST" request.

Yes the consistency seems to be the POST request and it being Chrome. The pages that are having these request all have non-submitable forms - with no action and no submit button/submit function

Are all those + signs present in your raw logs? Or are they an artifact of whatever analytics program you're using? There are times when analytics or processed logs are a valid alternative--in rare situations they may even give better information--but in general there is no substitute for studying the actual, raw, unprocessed logs.

In any case you may choose to block POST requests for pages that don't involve forms; that way you don't have to keep playing whack-a-mole with IP ranges, and your server doesn't have to go to the effort of looking for the file each time.

Are all those + signs present in your raw logs? Or are they an artifact of whatever analytics program you're using?

Likey in whatever scripting is being used for the vulnerability attempt.

The plus signs are in the raw logs, I have shortened the meta description to anonymise - in the log they are requesting the full meta description. I'd guess it is to replace the spaces that are in the meta description.

I might track back requests from those IPs to see if there is some kind of pattern - and to see if they are requesting the page from which the meta description is taken from first - but that won't be for a day or so.

The script is just using your meta description as part of the injection attempt at port 80 (the most widely used for hosting) on the server. Attempting to POST whatever content they have in their script, usually some type of spam, but it could also be a virus.

From the log snippet you posted, it shows your server returned a 404 (not found) response, However you should also look for other requests made by this IP address. If they were able to get any of the 2** response codes, then the injection may have been successful.

It could be a bot that has previously crawled your site, now it has come back and is sending the wrong requests, perhaps a sloppy coder has specifies an incorrect database table or something and instead of a domain.bla/URL it's requesting domain.bla/description

Mack.