SOLVED Strange encoded requests in logs

hostvision

Member
Jul 22, 2005
14
1
153
Romania
cPanel Access Level
Root Administrator
We seen a lots of strange encoded requests (encoded korean spam) in wordpress search '?s=' that came from google bot. The rate of access is high and generate a lot of load.

Not sure if this is a wordpress or a google bot exploit, as the sites get hundreds of thousands of indexed korean spam for jut on site and about 15,010,000,000 results for all sites.

here is a sample request:

Code:
66.249.75.131 - - [05/Mar/2019:21:16:41 +0200] "GET /?s=%EC%B6%98%EC%B2%9C%EC%B6%9C%EC%9E%A5%EC%99%B8%EA%B5%AD%EC%9D%B8%E3%80%8E%EC%B9%B4%ED%86%A1%3A+P+o+34%E3%80%8F%7BPo+o34.c%EF%BC%90M%7D%EC%B6%9C%EC%9E%A5%EC%86%8C%EC%9D%B4%EC%8A%A4%ED%99%8D%EC%84%B1%EC%BD%9C%EA%B1%B8Y%E2%98%B5%E2%8A%992019-02-20-11-45%EC%B6%98%EC%B2%9C%E2%8A%99AIJ%E2%94%B7%EC%B6%9C%EC%9E%A5%EC%97%AC%EB%8C%80%EC%83%9D%EC%BD%9C%EA%B1%B8%EC%B6%9C%EC%9E%A5%EC%95%88%EB%A7%88%EC%B6%9C%EC%9E%A5%EC%86%8C%EC%9D%B4%EC%8A%A4%ED%99%8D%EC%84%B1%E2%98%AD%EC%B6%9C%EC%9E%A5%EC%97%85%EA%B3%84%EC%9C%84%E2%99%90%EC%B6%9C%EC%9E%A5%EC%86%8C%EC%9D%B4%EC%8A%A4%E2%94%A0%EC%B6%98%EC%B2%9C&feed=rss2 HTTP/1.1" 200 2201 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
the decoded request:

Code:
춘천출장외국인『카톡:+P+o+34』{Po+o34.c0M}출장소이스홍성콜걸Y⊙2019-02-20-11-45춘천⊙AIJ┷출장여대생콜걸출장안마출장소이스홍성출장업계위출장소이스┠춘천

the results in google with a sample string from that request:
[Removed]
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Hello @hostvision,

I've seen a similar report from another administrator that added a ModSecurity rule like the one below in WHM >> ModSecurity Tools >> Rules List >> Add Rule to block direct requests matching strings like that:

Code:
SecRule REQUEST_URI "\?s=%.*" "id:1001,deny"
If you're already using existing ModSecurity rules, then you'd need to change "1001" with an unused ID number. Keep in-mind this is an untested rule, so you may want to run it by a system administrator or use a plugin such as CMC to easily apply the rule to the individual account.

Let me know if this helps.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Hello @hostvision,

I'm glad to see it helped. Thanks for sharing the outcome.