Welcome to WebmasterWorld Guest from 107.20.104.110

Forum Moderators: phranque

Message Too Old, No Replies

MSIE9 requesting */scanImageUrl and */[object]

Seeing internet explorer 9 request strange invalid urls on my websites

     
7:29 am on Apr 2, 2013 (gmt 0)

New User

joined:June 21, 2012
posts: 4
votes: 0


Over the last couple of weeks I've been seeing requests to /[object] and /scanImageUrl in my websites root and subdirectories.

I suspect the requests to /[object] and /subdir/[object] are because of a javascript, because with those requests the HTTP_ACCEPT header is set to: application/javascript, */*;q=0.8

The requests to /scanImageUrl have HTTP_ACCEPT set to: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5

I can't for the life of me figure out why browsers are sending these requests, I've been using the same website + javascripts for almost a year now and requests like these started popping up a couple of weeks ago.

Is anyone else seeing stuff like this?

Edit: I forgot to mention that _all_ of the requests containing [object] are from MSIE9, the requests containing scanImageUrl are from different browsers.
11:36 am on Apr 2, 2013 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10563
votes: 15


welcome to WebmasterWorld, tomashastings!


have you checked the IP addresses from which these requests are originating to see if they might be known spambots or vulnerability probes.
11:46 am on Apr 2, 2013 (gmt 0)

New User

joined:June 21, 2012
posts: 4
votes: 0


Yes I checked, the requests seem to be coming from legitimate users. At least 5 of them are IP addresses of users that have ordered from my webshop in the past.
1:45 pm on Apr 2, 2013 (gmt 0)

New User

joined:Apr 2, 2013
posts: 1
votes: 0


I'm seeing this on an eComm asp.net site. My guess is a browser plugin gone haywire.

"scanImageUrl" is a JS variable used in the McAfee/HackerSafe logo/trustmark display, but we don't use that. One of the many broeser security plugins?
6:12 pm on Apr 2, 2013 (gmt 0)

New User

joined:Apr 2, 2013
posts:2
votes: 0


we too have been observing this issue.

It's all from IE9 and only in compatibility mode, denoted by the Trident attribute of the user agent string.
11:41 am on Apr 4, 2013 (gmt 0)

New User

joined:Apr 4, 2013
posts:1
votes: 0


Hello,

Me too i can see this 404 error on my logs since 5 or 6 days. My website is not in asp but in php
6:03 pm on Apr 8, 2013 (gmt 0)

New User

joined:Apr 8, 2013
posts: 1
votes: 0


We are also receiving requests for /scanImageUrl.

They seem to be coming from IE 8 and IE 9 (both with Trident in the User Agent string).

Has anyone determined the underlying cause yet?
2:09 pm on May 20, 2013 (gmt 0)

New User

joined:Apr 2, 2013
posts:2
votes: 0


I posted a question on stackexchange: [snip]

and someone responded and it points to a 3rd party addon(spyware)

here's a summary:

One of my coworkers started exhibit the symptoms (random requests for http://www.example.com/scanImageUrl from IE8), so I hopped on her computer to figure out what was causing the issue.

The problem appears to be due to a malware IE add-on called Yontoo v2.051. I doubt anyone intentionally installs the software, but, among other installers, it is bundled with "EZ Fonts" ([snip]). Disabling both parts of the add-on from IE stops the issue.

[edited by: phranque at 10:08 am (utc) on May 21, 2013]
[edit reason] links to malware, etc [/edit]

10:23 am on May 21, 2013 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10563
votes: 15


welcome to WebmasterWorld, ttomsen!


thanks for your help with an explanation of the issue.
10:23 am on May 21, 2013 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10563
votes: 15


warm welcomes all around to mydogbart, rhum1, and gfergo!