Dunno, but you're correct - always trident/4.0 and yes, they've increased a lot over the last couple weeks.

I've always blocked these requests with:

RewriteRule NULL - [NC,F]

I read the linked thread. Does it literally say (null) in the logs?

Gary,
Provided two log examples in that thread [webmasterworld.com]. The only thing I changed was the name of the directory requested.

Yes. It says "GET /(null)" in the raw server access logs:

71.164.229.20x - - [05/Jun/2009:10:25:26 -0500] "GET /(null) HTTP/1.1" 403 0 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)"

Jim

Thanks, Jim. I've never seen that in all my years of doing this. Is this something unique to Apache? All my servers are Windows.

Is what specific to Apache -- The log entry or the log format? That's just a bog-standard shared-server log line, except for the odd-ball URL-path of "/(null)" that we're discussing here. Its format is
Remote-IP / Time / Client-request-line / Server-response-status / Transfer-size / Referrer / Client-user-agent

My condolences on the Window$ $erver$ thing... ;)

Jim

Could it be MSIE 8 screwing up (again!)?

From checking up on trinity yesterday it seems to be some kind of spoofing option for MSIE 8 to allow users to make it look like MSIE 7: apparently some sites don't work with MSIE 8. Shades of Mozilla? :)

I do know I get a lot of suspect hits from seemingly "real" browsers with trinity in the UA, usually with bad headers.

Is what specific to Apache -- The log entry or the log format?

The log entry. I've never seen /(null) as a file in any of my logs.

My condolences on the Window$ $erver$ thing...

I like my Windows Servers just fine thank you. :)

Trident is the MSIE rendering engine, just as Gecko is the Mozilla rendering engine.

It's possible that the /(null) requests are sent only to Apache servers, but that seems on its face to be unlikely, as it would require special code in the client to examine the server's identifying response headers and behave accordingly. Hopefully, we can get enough reports here from other Webmasters on Windows servers to get a sufficiently-large sample to answer to that question.

Jim

These are the only "(null)" hits from yesterday's log.

No time pattern, no geo pattern, no other browser configuration or add-on patterns. The only similarity I see is that none include a referring site or SE and they all are for the default page even though I have many entrance pages.

83.93.194.*** - - [08/Jul/2009:03:38:49 -0700] "GET www.my-site.com/(null) HTTP/1.1" 403 479 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)"

94.194.52.*** - - [08/Jul/2009:07:18:07 -0700] "GET www.my-site.com/(null) HTTP/1.1" 403 478 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2)"

24.8.156.*** - - [08/Jul/2009:12:50:06 -0700] "GET www.my-site.com/(null) HTTP/1.1" 403 478 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1)"

71.136.34.** - - [08/Jul/2009:13:37:31 -0700] "GET www.my-site.com/(null) HTTP/1.1" 403 478 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)"

24.29.76.*** - - [08/Jul/2009:14:39:56 -0700] "GET www.my-site.com/(null) HTTP/1.1" 403 478 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 2.0.50727; InfoPath.2)"

98.116.207.*** - - [08/Jul/2009:19:13:35 -0700] "GET www.my-site.com/(null) HTTP/1.1" 403 480 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; WOW64; Trident/4.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.30729; .NET CLR 3.5.21022; .NET CLR 3.5.30729)"

Trident is the MSIE rendering engine

I think dstiles had nuclear bombs on his mind at the time!

It's possible that the /(null) requests are sent only to Apache servers, but that seems on its face to be unlikely

Apparently I have the UA Pfui posted in my database so maybe I overlooked the log entries. I'll keep a closer watch on it now. First seen on Jan 31, 2009. Last seen June 21, 2009. 645 total visits.

Thanks for puzzling this mystery with me, gang.

@Gary: I may be misunderstanding your comment but the UAs are all different but for having "MSIE 8.0" and more specifically "Trident/4.0" in the string. However, not all Trident/4.0-containing UAs request "/(null)" files. I'd be surprised if you grepped more than a few dozen "/(null)" requests a month in any one site's 2009 logs.

@keyplyr: Sooner or later, I reckon you'll see hits to subdirectories. I consistently see a mix of top level and multiple subdirs now. The mix made me wonder if the nulls might be bookmark- or favicon-related but it's too inconsistent. FWIW, I also thought Trident might be burping when it encountered older code but that doesn't fit across all visitors either.

This is beginning to sound like a case for Sherlock Holmes. Or House, M.D. :)

Here's two for today.

81.76.50.nnn - - [10/Jul/2009:07:59:01 +0100] "GET /(null) HTTP/1.1" 404 4801 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 0 example.com "-" "-"
81.76.50.nnn - - [10/Jul/2009:07:59:26 +0100] "GET /articles/(null) HTTP/1.1" 404 5110 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 0 example.com "-" "-"

No other log entries for 81.76.50.nnn. It just gets those null pages and moves on.

Pfui, I really should know better than to post when I'm sleeping. :)

I also see them in my logs often. I do redirect them in my case to a blackhole as the app blocks characters like brackets, but one thing surely they use it for, is probing for weaknesses in the application level. Whatever web application runs.

So for example with a PHP app using example.com/(null) will setup the $_SERVER variables, some including the (null) string. Now depending what the web scripts do, may expose the server path if they are errors, or include the string with an error page.

This can quickly tell an attacker of the server response and whether or not the application handles the 404 with custom html content or a custom redirect. If you don't redirect then the 404 is typically invoked. If the 404 is a custom page they can check if the response includes the null string.

I tested this with some popular cms and cart packages and in several cases I can see that (null) thing been included with the error or redirect page. The next thing they could do is to try xss against these scripts.

Here is an example from a 404 page I checked following the url with the null on a popular CMS.

<form action="/(null)" accept-charset="UTF-8" method="post" id="search-theme-form">

see where the (null) ended up? It means there was no filtering on that request and the application passed it blindly to the client. It is parameter propagation and can be used for all sort of things.

Wow. So you think nulls might be exploits via Zombied machines running MSIE 8.0/Trident/4.0? That would explain the inconsistent conduct between the exact same UAs, plus the fact most Hosts appear to be one-hit wonders. I've only communicated with one real person behind one hit and he was as clueless as I was about what his machine/browser had done, URI-wise.

Can't say I've noticed null hits but I get a lot of php file hits on my server, which are all blocked because it's an ASP server. From the filenames and paths they are obviously looking for loopholes.

The pattern changes: sometimes it's lots of hits from one IP, other times lots of IPs at one or two apiece.

What I've found is that the UAs of the attackers are generally non-Trident MSIE and show as very basic (unpatched) MSIE UAs for most machines since 2000.

Not that this UA is a guide in itself: my 2000 server is fully patched (as much as any MS OS can be) and is still showing the same UA it arrived with. The difference with the php hits is a lack of certain headers.

Still, who needs MSIE with Firefox around? :)

dstiles, the "/(null)" phenomenon is a very specific itch I'm trying to scratch. if you're able to grep your access logs for null, it'd be interesting to see if you find any hits. As far as we know, they're independent of .php or any known exploits and the UA always includes Trident/4.0.

Pfui, I checked my logs I route traffic from several servers into one when I detect invalid characters and foul play into the uri.

The majority of the requests include the trident 4/0 in the UA. There were few instances without. Here are a couple of real ones:

150.70.84.#*$! - - [14/Jun/2009:15:05:45 -0400] "GET /shutters/(null) HTTP/1.0" 301 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

67.223.204.#*$! - - [20/Jun/2009:09:14:13 -0400] "GET /(null) HTTP/1.1" 301 5 "-" "-"

But these aren't real browsers by any means though as the headers are invalid. So theoretically at least anyone could setup a fake UA and request a url with this pattern.

Pfui - I log all strange 404s in a "baddies" file. Haven't seen any nulls in there and on ASP I think it would have triggered a 404. If someone knows different I'd like to know.

root-of.tld/category/(null) - 76.212.NN.NN
HTTP/1.1 Mozilla/4.0+compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729)
- - root-of.tld 404 0 0 3417 282 3593

the site root-of.tld was just launched and seen seen only few visitors a day(2 weeks). I will try to track the person since I know all the people that visit the site.