A couple of days ago we blocked access to a customer who had just clicked on a newly-made facebook link which he'd created in the "work info section" (his description) of his facebook details.
The reason for blocking given in our security log was "Bad Referer".
The access was trapped on the part-word "iserver" - the full word was uiserver.php and was part of the facebook referer.
I've never seen that term before (at least, not in past year's security logs). The term "iserver" has several uses and definitions but includes a couple that are dangerous to web sites - eg they include scraping facilities.
It looks as if uiserver.php is a part of facebook's apps system but I can't be certain. Does anyone know anything about this?
There was also a reference in the Referer to IP 174.143.153.nn (shown in the Referer below as [IP]) which is in a Rackspace Cloud. One reason I can imagine for its inclusion is that someone using the Rackspace Cloud as a robot / interrogation / spy source was tracing the link (it has the parameter name "cancel_url").
Full Referer (broken into lines, URLs broken with spaces):
[
www....] facebook. com/connect/uiserver. php
?app_id=181091351917024&next=http%3A%2F%2Fapps. facebook. com%2Fgettopwords%2F&display=page
&cancel_url=http%3A%2F%2F[IP]%2Ftopwords%2F%3Ftype%3Ddiscovery
&locale=en_US&perms=read_stream&return_session=1&session_version=3
&fbconnect=0&canvas=1&legacy_return=1&method=permissions.request
I do not want to lose iserver from the referer rejection list; to add uiserver as an over-ride would be annoyingly troublesome. :(
Am I likely to encounter this again? I haven't before and I know others of my clients use facebook.
