SOLVED Strange encoded requests in logs

hostvision

Member
Jul 22, 2005
11
1
153
Romania
cPanel Access Level
Root Administrator
We seen a lots of strange encoded requests (encoded korean spam) in wordpress search '?s=' that came from google bot. The rate of access is high and generate a lot of load.

Not sure if this is a wordpress or a google bot exploit, as the sites get hundreds of thousands of indexed korean spam for jut on site and about 15,010,000,000 results for all sites.

here is a sample request:

Code:
66.249.75.131 - - [05/Mar/2019:21:16:41 +0200] "GET /?s=%EC%B6%98%EC%B2%9C%EC%B6%9C%EC%9E%A5%EC%99%B8%EA%B5%AD%EC%9D%B8%E3%80%8E%EC%B9%B4%ED%86%A1%3A+P+o+34%E3%80%8F%7BPo+o34.c%EF%BC%90M%7D%EC%B6%9C%EC%9E%A5%EC%86%8C%EC%9D%B4%EC%8A%A4%ED%99%8D%EC%84%B1%EC%BD%9C%EA%B1%B8Y%E2%98%B5%E2%8A%992019-02-20-11-45%EC%B6%98%EC%B2%9C%E2%8A%99AIJ%E2%94%B7%EC%B6%9C%EC%9E%A5%EC%97%AC%EB%8C%80%EC%83%9D%EC%BD%9C%EA%B1%B8%EC%B6%9C%EC%9E%A5%EC%95%88%EB%A7%88%EC%B6%9C%EC%9E%A5%EC%86%8C%EC%9D%B4%EC%8A%A4%ED%99%8D%EC%84%B1%E2%98%AD%EC%B6%9C%EC%9E%A5%EC%97%85%EA%B3%84%EC%9C%84%E2%99%90%EC%B6%9C%EC%9E%A5%EC%86%8C%EC%9D%B4%EC%8A%A4%E2%94%A0%EC%B6%98%EC%B2%9C&feed=rss2 HTTP/1.1" 200 2201 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
the decoded request:

Code:
춘천출장외국인『카톡:+P+o+34』{Po+o34.c0M}출장소이스홍성콜걸Y⊙2019-02-20-11-45춘천⊙AIJ┷출장여대생콜걸출장안마출장소이스홍성출장업계위출장소이스┠춘천

the results in google with a sample string from that request:
[Removed]
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,911
2,234
363
Hello @hostvision,

I've seen a similar report from another administrator that added a ModSecurity rule like the one below in WHM >> ModSecurity Tools >> Rules List >> Add Rule to block direct requests matching strings like that:

Code:
SecRule REQUEST_URI "\?s=%.*" "id:1001,deny"
If you're already using existing ModSecurity rules, then you'd need to change "1001" with an unused ID number. Keep in-mind this is an untested rule, so you may want to run it by a system administrator or use a plugin such as CMC to easily apply the rule to the individual account.

Let me know if this helps.

Thank you.