Anyone seen this type of GET requests? GET /?epl=

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
I'm receiving GET requests of the type:

GET /?epl=xjFv5-RFSnCLevmcq2p0e65rd7UgoXCK5C7-x8zgo7mQvaOpuJAsnO0BFaGKINARDFzaWVg_9gsXMRRdvWgkWzoEAiHFbPYVFz418trzthe7SPUxwkFASqlybzUhVwbTfFGS-345rSSj3XKGTxoA0NSDGIhJJVDNE0aZUY96JCOT9lQlZAAgsN6vvwAA4H8DAABAgFsKAADXtbtaWVMmWUExNmhaQ
Are these some kind of remote exploit, or just a broken browser plugin?

Thank you
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,202
363
Hello :)

Are you receiving several similar requests for the same account or is it an isolated entry?

Thank you.
 

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
Hello :)

Are you receiving several similar requests for the same account or is it an isolated entry?

Thank you.
I'm receiving multiple of these requests, one per domain, on multiple domains on each server. But the encoded (or random) string after the epl= parameter is different. I also see them coming from different IP address on the same netmask.

For example:

Code:
domain1.com:202.46.61.123 - - [16/Jan/2014:10:24:56 +0000] "GET /?epl=zmxPnQMyCjJ3qtf3RnTpl0BaAx85JBROkdyFP24M3tvkqCFFZ3aUuk8D3ekZHSvn2kFmK8vkCEsdMh6bz3p85QMpFhkBJ8iEVARuvErBatTOdeF9mT4hnnvTVONRj6DpkTRNU3uKAACYgAkocgAgMN6jvwAA4H8BAABAgFsHAABpDXzkWVMmWUExNmhaQmsAAADw HTTP/1.1" 301 428 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
then again

Code:
domain2.com:202.46.61.122 - - [16/Jan/2014:03:26:31 +0000] "GET /?epl=gSar5ERva1IXE3hZoxofzgDLa9oFCYVTJHfxr-okmyRUyRL_KBbsB7sKOkzBed5ogE7qNhIvqqpgdC5tOL_xMB87SWuiLUj3gAhzhAaWYLUUeps6veN5v-qR3U8pzaYRTU896UmaSeypGkwAwAQAY3AAIDDeq78AAOB7AwAAQIDbBwAAsLymXVlTJllBMTZoWkJwAAAA8A HTTP/1.1" 200 4212 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
and again...

Code:
domain3.com:202.46.49.36 - - [16/Jan/2014:18:54:31 +0000] "GET /?epl=xjFv5-RFSnCLevmcq2p0e65rd7UgoXCK5C7-x8zgo7mQvaOpuJAsnO0BFaGKINARDFzaWVg_9gsXMRRdvWgkWzoEAiHFbPYVFz418trzthe7SPUxwkFASqlybzUhVwbTfFGS-345rSSj3XKGTxoA0NSDGIhJJVDNE0aZUY96JCOT9lQlZAAgsN6vvwAA4H8DAABAgFsKAADXtbtaWVMmWUExNmhaQ HTTP/1.1" 200 4212 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
So on and so forth...

Based on the tracing of the originating IP addresses, I can see they are coming from China, which makes them 120% suspicious :)

I'm trying to trace the "epl" part of the parameter and see if its being used by some web application or CMS, but so far google hasn't been helpful, only returns results relevant to the English Premier League :P
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
That variable really doesn't ring a bell to me. Likely they won't be successful with anything even if it is a malicious request.

It's possible they're scanning for sites with infections that parse that variable.

It would be pretty easy to block with modsecurity if you decide you want to block the behaviour.
 

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
That variable really doesn't ring a bell to me. Likely they won't be successful with anything even if it is a malicious request.

It's possible they're scanning for sites with infections that parse that variable.

It would be pretty easy to block with modsecurity if you decide you want to block the behaviour.
Sounds possible, scanning for sites with infections. I don't think there is a need to block them.

Thanks for the suggestion.