A little while ago I mentioned some work I’d been doing with regard to 404 error processing with this blog’s engine. As part of that post, I disclosed some examples of remarkably stupid attempts to discover the whereabouts of standard PHP pages on this site. Except that this site does not use PHP, it’s not using WordPress of some ancient vintage, but instead uses an ASP.NET blogging engine.
Since that time nearly three months ago, I’ve been continuing to monitor the 404 error logs. Some of the “not-found URLs have been beneficial (I discovered a bug in GraffitiCMS with regard to commenting, for example, that I’ve since fixed), but mostly they’ve been either of the aforementioned PHP persuasion or downright bizarre (such that I can’t imagine how they came about automatically, in which case there are some remarkably stupid script kiddies out there).
Until this morning, when I came across an entirely new type of URL in the logs. Here’s an example:
That is some bizarre type of code injection going on, I must say. But, it’s not unknown. If you do a search for “Result: chosen nickname”, you quickly get to this question on the IT Security StackExchange site: Strange request URI with lot of + (spaces) and “chosen nickname”. It seems to be fishing for a particular (but unidentified) bug and is almost certainly propagated by a botnet.
The other bizarre, yet utterly fascinating, thing about this particular injection attack is that it only occurs with the blog post where I talk about 404 errors and the attempt to discover standard PHP pages. None of the other hundreds of blog posts on this site are getting these injection searches, only that particular one. The “nickname” changes on occasion, sometimes the double quotes are escaped, but the only URL this “chosen nickname” hack is tacked onto is my previous PHP-and-404 post. Interesting, no?
And now I shall be checking to see whether this post attracts these injection attempts…
(Before anyone asks: the image is a picture of a sign outside a building near here. I felt the original “BLDG” was sufficiently close to “BLOG” that I should photograph and PhotoShop it.)
#1 flapane said...11-Oct-14 11:51 AM
"The other bizarre, yet utterly fascinating, thing about this particular injection attack is that it only occurs with the blog post where I talk about 404 errors and the attempt to discover standard PHP pages"
For somewhat reason, it doesn't target my Wordpress blog, but the PHP guestbook I myself wrote a while ago, and the word "result" doesn't begin with a capital letter anymore.
I've just added the htaccess restriction suggested on StackExcange, the only difference being a '- [F]' redirection. Those stupid bots don't deserve my custom 404 error page.
Leave a response
Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.
* an item
1. an item
> Now is the time...
Preview of response