Anyone seen this type of GET requests? GET /?epl=

sehh

• January 16, 2014 11:43

I'm receiving GET requests of the type: [quote] GET /?epl=xjFv5-RFSnCLevmcq2p0e65rd7UgoXCK5C7-x8zgo7mQvaOpuJAsnO0BFaGKINARDFzaWVg_9gsXMRRdvWgkWzoEAiHFbPYVFz418trzthe7SPUxwkFASqlybzUhVwbTfFGS-345rSSj3XKGTxoA0NSDGIhJJVDNE0aZUY96JCOT9lQlZAAgsN6vvwAA4H8DAABAgFsKAADXtbtaWVMmWUExNmhaQ
Are these some kind of remote exploit, or just a broken browser plugin? Thank you

• 

  cPanelMichael

  • January 16, 2014 17:13

  Hello :) Are you receiving several similar requests for the same account or is it an isolated entry? Thank you.

  0
• 

  sehh

  • January 16, 2014 18:33

  [quote="cPanelMichael, post: 1550572">Hello :) Are you receiving several similar requests for the same account or is it an isolated entry? Thank you.
  I'm receiving multiple of these requests, one per domain, on multiple domains on each server. But the encoded (or random) string after the epl= parameter is different. I also see them coming from different IP address on the same netmask. For example: domain1.com:202.46.61.123 - - [16/Jan/2014:10:24:56 +0000] "GET /?epl=zmxPnQMyCjJ3qtf3RnTpl0BaAx85JBROkdyFP24M3tvkqCFFZ3aUuk8D3ekZHSvn2kFmK8vkCEsdMh6bz3p85QMpFhkBJ8iEVARuvErBatTOdeF9mT4hnnvTVONRj6DpkTRNU3uKAACYgAkocgAgMN6jvwAA4H8BAABAgFsHAABpDXzkWVMmWUExNmhaQmsAAADw HTTP/1.1" 301 428 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
  then again domain2.com:202.46.61.122 - - [16/Jan/2014:03:26:31 +0000] "GET /?epl=gSar5ERva1IXE3hZoxofzgDLa9oFCYVTJHfxr-okmyRUyRL_KBbsB7sKOkzBed5ogE7qNhIvqqpgdC5tOL_xMB87SWuiLUj3gAhzhAaWYLUUeps6veN5v-qR3U8pzaYRTU896UmaSeypGkwAwAQAY3AAIDDeq78AAOB7AwAAQIDbBwAAsLymXVlTJllBMTZoWkJwAAAA8A HTTP/1.1" 200 4212 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
  and again... domain3.com:202.46.49.36 - - [16/Jan/2014:18:54:31 +0000] "GET /?epl=xjFv5-RFSnCLevmcq2p0e65rd7UgoXCK5C7-x8zgo7mQvaOpuJAsnO0BFaGKINARDFzaWVg_9gsXMRRdvWgkWzoEAiHFbPYVFz418trzthe7SPUxwkFASqlybzUhVwbTfFGS-345rSSj3XKGTxoA0NSDGIhJJVDNE0aZUY96JCOT9lQlZAAgsN6vvwAA4H8DAABAgFsKAADXtbtaWVMmWUExNmhaQ HTTP/1.1" 200 4212 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
  So on and so forth... Based on the tracing of the originating IP addresses, I can see they are coming from China, which makes them 120% suspicious :) I'm trying to trace the "epl" part of the parameter and see if its being used by some web application or CMS, but so far google hasn't been helpful, only returns results relevant to the English Premier League :P

  0
• 

  quizknows

  • January 16, 2014 21:17

  That variable really doesn't ring a bell to me. Likely they won't be successful with anything even if it is a malicious request. It's possible they're scanning for sites with infections that parse that variable. It would be pretty easy to block with modsecurity if you decide you want to block the behaviour.

  0
• 

  sehh

  • January 16, 2014 21:28

  [quote="quizknows, post: 1550771">That variable really doesn't ring a bell to me. Likely they won't be successful with anything even if it is a malicious request. It's possible they're scanning for sites with infections that parse that variable. It would be pretty easy to block with modsecurity if you decide you want to block the behaviour.
  Sounds possible, scanning for sites with infections. I don't think there is a need to block them. Thanks for the suggestion.

  0

Please sign in to leave a comment.