Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Strange encoded requests in logs

Discussion in 'Security' started by hostvision, Mar 7, 2019.

  1. hostvision

    hostvision Member

    Joined:
    Jul 22, 2005
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    153
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    We seen a lots of strange encoded requests (encoded korean spam) in wordpress search '?s=' that came from google bot. The rate of access is high and generate a lot of load.

    Not sure if this is a wordpress or a google bot exploit, as the sites get hundreds of thousands of indexed korean spam for jut on site and about 15,010,000,000 results for all sites.

    here is a sample request:

    Code:
    66.249.75.131 - - [05/Mar/2019:21:16:41 +0200] "GET /?s=%EC%B6%98%EC%B2%9C%EC%B6%9C%EC%9E%A5%EC%99%B8%EA%B5%AD%EC%9D%B8%E3%80%8E%EC%B9%B4%ED%86%A1%3A+P+o+34%E3%80%8F%7BPo+o34.c%EF%BC%90M%7D%EC%B6%9C%EC%9E%A5%EC%86%8C%EC%9D%B4%EC%8A%A4%ED%99%8D%EC%84%B1%EC%BD%9C%EA%B1%B8Y%E2%98%B5%E2%8A%992019-02-20-11-45%EC%B6%98%EC%B2%9C%E2%8A%99AIJ%E2%94%B7%EC%B6%9C%EC%9E%A5%EC%97%AC%EB%8C%80%EC%83%9D%EC%BD%9C%EA%B1%B8%EC%B6%9C%EC%9E%A5%EC%95%88%EB%A7%88%EC%B6%9C%EC%9E%A5%EC%86%8C%EC%9D%B4%EC%8A%A4%ED%99%8D%EC%84%B1%E2%98%AD%EC%B6%9C%EC%9E%A5%EC%97%85%EA%B3%84%EC%9C%84%E2%99%90%EC%B6%9C%EC%9E%A5%EC%86%8C%EC%9D%B4%EC%8A%A4%E2%94%A0%EC%B6%98%EC%B2%9C&feed=rss2 HTTP/1.1" 200 2201 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
    the decoded request:

    Code:
    춘천출장외국인『카톡:+P+o+34』{Po+o34.c0M}출장소이스홍성콜걸Y⊙2019-02-20-11-45춘천⊙AIJ┷출장여대생콜걸출장안마출장소이스홍성출장업계위출장소이스┠춘천

    the results in google with a sample string from that request:
    [Removed]
     
    #1 hostvision, Mar 7, 2019
    Last edited by a moderator: Mar 8, 2019
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @hostvision,

    I've seen a similar report from another administrator that added a ModSecurity rule like the one below in WHM >> ModSecurity Tools >> Rules List >> Add Rule to block direct requests matching strings like that:

    Code:
    SecRule REQUEST_URI "\?s=%.*" "id:1001,deny"
    If you're already using existing ModSecurity rules, then you'd need to change "1001" with an unused ID number. Keep in-mind this is an untested rule, so you may want to run it by a system administrator or use a plugin such as CMC to easily apply the rule to the individual account.

    Let me know if this helps.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. hostvision

    hostvision Member

    Joined:
    Jul 22, 2005
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    153
    Location:
    Romania
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    Thank you for the code, we use it and get rid of extra load generated by the crawler bots.
     
    cPanelMichael likes this.
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,002
    Likes Received:
    2,123
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @hostvision,

    I'm glad to see it helped. Thanks for sharing the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice