: Strange links appearing in 404 logs I've recently been going through our 404 logs and we have a number of urls which look like this turning up:- http://www.makejusticework.org.uk/%2B%255BPLM=0%255D%2BGET%2Bhttp:/www.makejusticewo
I've recently been going through our 404 logs and we have a number of urls which look like this turning up:-
www.makejusticework.org.uk/%2B%255BPLM=0%255D%2BGET%2Bhttp:/www.makejusticework.org.uk/%2B%255B0,51217,54078%255D%2B-%253E%2B%255BN%255D%2BPOST%2Bhttp:/www.makejusticework.org.uk/media/roma-hoopers-justice-campaign-blog/prison-expensive-making-people-worse-roger-graef-obe-ceo-films-record-ambassador-justice-work/2012/02/22/%2B%255B0,0,67227%255D
It contains the actual url, which is:-
www.makejusticework.org.uk/media/roma-hoopers-justice-campaign-blog/prison-expensive-making-people-worse-roger-graef-obe-ceo-films-record-ambassador-justice-work/2012/02/22/
This blog post relates to a recently redirected url (standard redirect 301) hence the concern - can anyone shed any light on this kind of thing?
More posts by @Karen161
2 Comments
Sorted by latest first Latest Oldest Best
This is some sort of comment-spam or possibly a hack attempt, but it's rather difficult to find out what it's trying to do. If it's a hack attempt, it could be a probe in which many thousands of sites are hit with the same type of attempted exploit, and only those that show promise are followed up.
To analyse this URL, here's a simple Perl one-liner:
perl -MURI::Escape -e '$line = <STDIN>; print uri_unescape(uri_unescape($line))'
Run this from the shell, then paste in your URL and hit Enter, then Ctrl/D to finish. The output is:
www.makejusticework.org.uk/+[PLM=0]+GET+http:/www.makejusticework.org.uk/+[0,51217,54078]+->+[N]+POST+http:/www.makejusticework.org.uk/media/roma-hoopers-justice-campaign-blog/prison-expensive-making-people-worse-roger-graef-obe-ceo-films-record-ambassador-justice-work/2012/02/22/+[0,0,67227]
Here's a security site's comment - still doesn't really say anything useful: isc.sans.edu/diary.html?storyid=4003 (SANS is good on malware analysis generally).
This is a slightly more useful analysis - as ChrisWiegman said, it seems to be some sort of spam bot, given the POST command in the URL: rankexploits.com/musings/2011/sorry-bergen-norway/ - has some comments on mod_rewrite rules to block this sort of thing.
I would investigate your logs around the time of a couple of attempts to see if there are any other odd attempts. Unless you find something else going on, the risk of this hack attempt getting into your site is fairly low.
It's worth checking for any vulnerabilities announced in the web applications you run on that site, and updating to the latest version if there are any.
Most likely it is a bot looking for vulnerabilities in your site. Some plugins and themes could allow users to post commands like that to do bad things to your site...
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.