Forum Moderators: open
Not sure what to make of this, but there was a third UA that hit just once. It was horribly malformed, but did provide a URL of lloogg.com/l.js. That site claims to provide real-time log file analytics.
/scriptdocument.write(unescape(..........
I got the request from a bunch of bots including googlebot.
66.249.68.nnn - - [23/Nov/2009:23:25:08 -0500] "GET /scriptdocument.write(unescape(%3Cscript%3Elloogg_clientid=......... HTTP/1.1" 301 5 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
I posted a question about it few days ago in GWC. They said the bot can be tangled in some js code. In my opinion this is not good at all even if the script content isn't malicious in this attempt.
I did not put the whole request in the post as I am not sure of its content.
/scriptdocument.write(unescape(<script>lloogg_clientid="211000209487386f"</script><script+src="http:/lloogg.com/l.js"></script>));/script Jakarta+Commons-HttpClient/3.0
robots.txt? NO
URI oddity? YES: //scriptdocument.write(unescape [etc.]
FWIW...
Saw the exploit requests last week as yours, Gary -- from Googlebot (Googlebot), AmazonAWS (Jakarta), icerocket.com (BlogSearch); q9.net (Java) -- but URIs led with two slashes and different "lloogg_clientid" data. (Tho' some of my hits had the same "lloogg.com" clientid.) Oh, and ASCII for all angled brackets, quotes, etc.
Figured it was just another exploit so only mentioned it in passing, post #4030633 (Nov. 23, 2009):
amazonaws.com plays host to wide variety of bad bots
[webmasterworld.com...]
The official response I had from GWC said the particular request wasn't malicious. I briefly checked the code but I did not debug it. There are some pointers in the jscript to other files, a cookie is emitted and an image that is loaded by a php script I think.
Ref:
[google.com...]
Unicode Code Converter [rishida.net]
But when the visible parts of any URI aim to document.write (to) a script and include a script source, I think exploit.
And when six bots request seven 99.9%-identical* URIs, a majority within mere minutes of each other, and bots don't typically read, let alone launch, JavaScript, or even retrieve .js files, I think exploit.
What kind of exploit?
I dunno. Something new nastiness hooked into a tweet or tweeted link or some such. Akin to, say:
"Twitter Security Exploit Still Hasn’t Been Fixed [mashable.com]" -Aug. 26, 2009
[Note: If the link's not allowed, sorry. Instead, Google the following: mashable exploit twitter]
And the hit rate was typical of a Twitter-follower swarm:
20:01:43 -- Moreoverbot/5.00 (+http://www.moreover.com; webmaster@moreover.com)
From: 64.94.67.nnn
20:02:27 -- Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
From: crawl-66-249-71-107.googlebot.com
20:03:15 -- Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
From: crawl-66-249-71-107.googlebot.com
20:07:12 -- Java/1.6.0_14
From: 87.218.210-nn.q9.net
20:07:59 -- BlogSearch/1.0 +http://www.icerocket.com/
From: icerocket.com
20:12:14 -- Jakarta Commons-HttpClient/3.0
From: ec2-67-202-60-246.compute-1.amazonaws.com
21:59:00 -- SocialSpider-Finder/0.2
From: 195-198-8-nnn.customer.telia.com
Anyway, even if non-exploitive, it's interesting how/why so many bots read a single click-trailer's script 'as a possible new URL.' (-Google e/ee) Google the common ID -- 22211000209487386f -- and you'll see some, um, iffy .vn, .hu, and .ru neighborhoods.
(I wonder what lloogg.com has to say?:)
-----
*The URIs were identical but for their one- or two-slash start:
GET //scriptdocument.write(unescape
GET /scriptdocument.write(unescape
