Hello 
Are you receiving several similar requests for the same account or is it an isolated entry?
Thank you.
Are you receiving several similar requests for the same account or is it an isolated entry?
Thank you.
I'm receiving multiple of these requests, one per domain, on multiple domains on each server. But the encoded (or random) string after the epl= parameter is different. I also see them coming from different IP address on the same netmask.Hello
Are you receiving several similar requests for the same account or is it an isolated entry?
Thank you.
For example:
Code:
domain1.com:202.46.61.123 - - [16/Jan/2014:10:24:56 +0000] "GET /?epl=zmxPnQMyCjJ3qtf3RnTpl0BaAx85JBROkdyFP24M3tvkqCFFZ3aUuk8D3ekZHSvn2kFmK8vkCEsdMh6bz3p85QMpFhkBJ8iEVARuvErBatTOdeF9mT4hnnvTVONRj6DpkTRNU3uKAACYgAkocgAgMN6jvwAA4H8BAABAgFsHAABpDXzkWVMmWUExNmhaQmsAAADw HTTP/1.1" 301 428 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
Code:
domain2.com:202.46.61.122 - - [16/Jan/2014:03:26:31 +0000] "GET /?epl=gSar5ERva1IXE3hZoxofzgDLa9oFCYVTJHfxr-okmyRUyRL_KBbsB7sKOkzBed5ogE7qNhIvqqpgdC5tOL_xMB87SWuiLUj3gAhzhAaWYLUUeps6veN5v-qR3U8pzaYRTU896UmaSeypGkwAwAQAY3AAIDDeq78AAOB7AwAAQIDbBwAAsLymXVlTJllBMTZoWkJwAAAA8A HTTP/1.1" 200 4212 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
Code:
domain3.com:202.46.49.36 - - [16/Jan/2014:18:54:31 +0000] "GET /?epl=xjFv5-RFSnCLevmcq2p0e65rd7UgoXCK5C7-x8zgo7mQvaOpuJAsnO0BFaGKINARDFzaWVg_9gsXMRRdvWgkWzoEAiHFbPYVFz418trzthe7SPUxwkFASqlybzUhVwbTfFGS-345rSSj3XKGTxoA0NSDGIhJJVDNE0aZUY96JCOT9lQlZAAgsN6vvwAA4H8DAABAgFsKAADXtbtaWVMmWUExNmhaQ HTTP/1.1" 200 4212 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"Based on the tracing of the originating IP addresses, I can see they are coming from China, which makes them 120% suspicious
I'm trying to trace the "epl" part of the parameter and see if its being used by some web application or CMS, but so far google hasn't been helpful, only returns results relevant to the English Premier League :P
That variable really doesn't ring a bell to me. Likely they won't be successful with anything even if it is a malicious request.
It's possible they're scanning for sites with infections that parse that variable.
It would be pretty easy to block with modsecurity if you decide you want to block the behaviour.
It's possible they're scanning for sites with infections that parse that variable.
It would be pretty easy to block with modsecurity if you decide you want to block the behaviour.
Sounds possible, scanning for sites with infections. I don't think there is a need to block them.
Thanks for the suggestion.
