What's a random-spelled filename request mean?

Forum Moderators: open

Message Too Old, No Replies

What's a random-spelled filename request mean?

Why do robots request bizarre random file names?

knonymouse

2:39 am on Mar 24, 2012 (gmt 0)

Three requests, in the same second:
like:

/mydir1/mydir//amfx/xmlrpc.php
//amfx/xmlrpc.php
/mydir1///amfx/xmlrpc.php

Those robot requests make no sense to me. They looked like random letters. But I notice the file name begins "xml"

Are these in fact known names of vulnerable files in a specific application?

They got 403, but not sure why. Perhaps by IP ban because of a prior visit caught with suspicious activity. Like a request for admin, or login, or register, or upload, or etc. etc.

Meanwhile, as a separate question. If a filename seems to be just random letters, should I assume they are not in fact random (a real target somewhere) or what would be the purpose of a random file name request?

incrediBILL

4:00 am on Mar 24, 2012 (gmt 0)

That's a standard hack attack looking for a page that tends to be vulnerable.

DeeCee

5:36 am on Mar 24, 2012 (gmt 0)

This particular case, asking for xmlrpc.php, as incrediBILL mentions is an attempt to attack.
The different entry points (directory names) are typically just testing for sub-directories where you might have installed something instead of in root.

When you see totally random names from for example GoogleBot, where they ask for an html file with a name that is made up (such as 'gwekhrtipoiiybveee.html' or something), they are merely checking that your site knows how to return a correct code 404 (Not found). That you do not merely catch unknowns, and redirect, returning 200 instead. Such as with a site search for example.

Google for obvious reasons do not like it when sites return 200 (OK) for everything.

I have some sites, where I redirect users into a nice custom message with a product search if they try to hit an old URL, but I still return an official 404, just to make sure Google can do its cleanup.

keyplyr

10:40 am on Mar 24, 2012 (gmt 0)

Also, sometimes the ending file (.js, .pl, .php or .txt) is appended to the GET request as a hack.