Suddenly (about an hour ago), we're seeing a huge number of "'%22" added onto the URIs on one of our sites. (Example: www.example.com/page.cfm?Parm1=1¶m2=2'%22
Has anyone seen something like this before?
[edited by: LifeinAsia at 11:51 pm (utc) on Feb 22, 2010]
martinibuster
11:43 pm on Feb 22, 2010 (gmt 0)
Isn't %22 an empty space? Could be someone (or thing) is accessing your site with a blank space at the end of the URL. Could also be caused by a mis-coded link in or outside of your site.
Leosghost
12:03 am on Feb 23, 2010 (gmt 0)
Isn't %22 an empty space?
No ..%22 is an escaped quote mark in ASCII table here [w3schools.com]
LifeinAsia
12:05 am on Feb 23, 2010 (gmt 0)
If it were one or two, I could see that. But it was suddenly thousands of entries like that showing in the logs. And it stopped just as suddenly as it started. And it was on just one of over a dozen sites on the server.
No common IPs as far as I could tell, although the user agent is the same... No referrer, so maybe it was just an idiot's attempt at referral spam.
Leosghost
12:30 am on Feb 23, 2010 (gmt 0)
To be on the safe side ..after every unusual event ..check the date/time stamps on critical files ..
And generate checksums on the critical files that you know to be "clean" ..most "target files" would not actually vary ..so this can save you some time and anguish ..
No common IPs as far as I could tell, although the user agent is the same
Common IP's would be a dead giveaway and not even a newbie would ..randomising the UA is harder ..most times if the weak point for intrusion or spam isnt real easy ..then the bot ( thousands is a bot IMO ) will move off ..basic wardialer etc tactics haven't changed
rocknbil
7:57 pm on Feb 23, 2010 (gmt 0)
Came up a few weeks ago [webmasterworld.com] but don't know that the comments there will be very helpful.
I am curious though, are you on any plans for PCI compliance scans? I have seen some weird stuff thrown at our servers during a scan from S.M.
londrum
8:40 pm on Feb 23, 2010 (gmt 0)
maybe someone is trying to scrape your site, or just trying to grab some data off your pages.
it would be easy enough to write a script that loops through a load of URLs, but doing a little typo that adds an accidental character to the end of the variable where the URL goes. that might explain why its the same character all the time.
LifeinAsia
10:16 pm on Feb 23, 2010 (gmt 0)
Thanks for the comments and thanks for the link to the previous thread- sounds like it may have been the same issue. (Not on any plans for PCI compliance scans.)
No other junk after the '%22, so I doubt it was a SQL injection attack. Perhaps a probe to see how the server was handling things for a potential future attack (as suggested in the other thread).
