The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Anyone seen this type of GET requests? GET /?epl=

Discussion in 'Security' started by sehh, Jan 16, 2014.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I'm receiving GET requests of the type:

    Are these some kind of remote exploit, or just a broken browser plugin?

    Thank you
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,696
    Likes Received:
    656
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I'm receiving multiple of these requests, one per domain, on multiple domains on each server. But the encoded (or random) string after the epl= parameter is different. I also see them coming from different IP address on the same netmask.

    For example:

    Code:
    domain1.com:202.46.61.123 - - [16/Jan/2014:10:24:56 +0000] "GET /?epl=zmxPnQMyCjJ3qtf3RnTpl0BaAx85JBROkdyFP24M3tvkqCFFZ3aUuk8D3ekZHSvn2kFmK8vkCEsdMh6bz3p85QMpFhkBJ8iEVARuvErBatTOdeF9mT4hnnvTVONRj6DpkTRNU3uKAACYgAkocgAgMN6jvwAA4H8BAABAgFsHAABpDXzkWVMmWUExNmhaQmsAAADw HTTP/1.1" 301 428 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
    
    then again

    Code:
    domain2.com:202.46.61.122 - - [16/Jan/2014:03:26:31 +0000] "GET /?epl=gSar5ERva1IXE3hZoxofzgDLa9oFCYVTJHfxr-okmyRUyRL_KBbsB7sKOkzBed5ogE7qNhIvqqpgdC5tOL_xMB87SWuiLUj3gAhzhAaWYLUUeps6veN5v-qR3U8pzaYRTU896UmaSeypGkwAwAQAY3AAIDDeq78AAOB7AwAAQIDbBwAAsLymXVlTJllBMTZoWkJwAAAA8A HTTP/1.1" 200 4212 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
    
    and again...

    Code:
    domain3.com:202.46.49.36 - - [16/Jan/2014:18:54:31 +0000] "GET /?epl=xjFv5-RFSnCLevmcq2p0e65rd7UgoXCK5C7-x8zgo7mQvaOpuJAsnO0BFaGKINARDFzaWVg_9gsXMRRdvWgkWzoEAiHFbPYVFz418trzthe7SPUxwkFASqlybzUhVwbTfFGS-345rSSj3XKGTxoA0NSDGIhJJVDNE0aZUY96JCOT9lQlZAAgsN6vvwAA4H8DAABAgFsKAADXtbtaWVMmWUExNmhaQ HTTP/1.1" 200 4212 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
    
    So on and so forth...

    Based on the tracing of the originating IP addresses, I can see they are coming from China, which makes them 120% suspicious :)

    I'm trying to trace the "epl" part of the parameter and see if its being used by some web application or CMS, but so far google hasn't been helpful, only returns results relevant to the English Premier League :P
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    That variable really doesn't ring a bell to me. Likely they won't be successful with anything even if it is a malicious request.

    It's possible they're scanning for sites with infections that parse that variable.

    It would be pretty easy to block with modsecurity if you decide you want to block the behaviour.
     
  5. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    Sounds possible, scanning for sites with infections. I don't think there is a need to block them.

    Thanks for the suggestion.
     
Loading...

Share This Page