Peering into the depths of (presumed) website vulnerability probing
One of the unusual things that DWiki (the software behind here) does
is that it rejects HTTP GET requests with unknown query parameters
and logs them. Usually what this reports is yet another thing using
yet another query parameter for analytics tracking, like Facebook
and their 'fbclid=...
' parameter (cf), which is a good
part of why I no longer recommend being cautious in your web
app. But every so often something else
turns up, something that looks a lot like people probing for
vulnerable web applications.
Recently, I've seen moderate number of requests here with some interesting invalid query parameters tacked on the end, for example:
GET /~cks/space/blog/tech/?mid=qna&act=dispBoardWrite
The bad query parameters are the 'mid=qna&act=dispBoardWrite' bit.
Unlike normal browsers following links with bad query parameters, the IPs requesting these URLs don't go on to request my CSS or any other resources (such as a site favicon). The direct requests tend to have HTTP Referers of other pages here, and sometimes there are POST requests for URLs like '/~cks/space/blog/tech/index.php' with a HTTP Referer of a page here that includes these query parameters.
Some casual Internet searches suggest that this may be an attempt
to explode something called 'XPress Engine', which is apparently a
Korean PHP based CMS (cf and
related pages). On the other hand, Google has also indexed a bunch
of pages with these to query parameters in them (often along with
a 'page=NN
' additional parameter). So my overall conclusion is
that I don't really know what's under this rock.
(Over the past ten days, 29 different IPs have tried to poke me this way. A number of them have SBL listings, specifically SBL 224619, SBL 214239, and SBL 211023. It turns out that I'd already blocked all of the IP ranges from these SBL listings, so those probes weren't getting anywhere in the first place.)
|
|