Wandering Thoughts archives


Peering into the depths of (presumed) website vulnerability probing

One of the unusual things that DWiki (the software behind here) does is that it rejects HTTP GET requests with unknown query parameters and logs them. Usually what this reports is yet another thing using yet another query parameter for analytics tracking, like Facebook and their 'fbclid=...' parameter (cf), which is a good part of why I no longer recommend being cautious in your web app. But every so often something else turns up, something that looks a lot like people probing for vulnerable web applications.

Recently, I've seen moderate number of requests here with some interesting invalid query parameters tacked on the end, for example:

GET /~cks/space/blog/tech/?mid=qna&act=dispBoardWrite

The bad query parameters are the 'mid=qna&act=dispBoardWrite' bit.

Unlike normal browsers following links with bad query parameters, the IPs requesting these URLs don't go on to request my CSS or any other resources (such as a site favicon). The direct requests tend to have HTTP Referers of other pages here, and sometimes there are POST requests for URLs like '/~cks/space/blog/tech/index.php' with a HTTP Referer of a page here that includes these query parameters.

Some casual Internet searches suggest that this may be an attempt to explode something called 'XPress Engine', which is apparently a Korean PHP based CMS (cf and related pages). On the other hand, Google has also indexed a bunch of pages with these to query parameters in them (often along with a 'page=NN' additional parameter). So my overall conclusion is that I don't really know what's under this rock.

(Over the past ten days, 29 different IPs have tried to poke me this way. A number of them have SBL listings, specifically SBL 224619, SBL 214239, and SBL 211023. It turns out that I'd already blocked all of the IP ranges from these SBL listings, so those probes weren't getting anywhere in the first place.)

web/SeeingSomeWebProbing written at 01:48:08; Add Comment

Page tools: See As Normal.
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.