Peering into the depths of (presumed) website vulnerability probing

December 15, 2019

One of the unusual things that DWiki (the software behind here) does is that it rejects HTTP GET requests with unknown query parameters and logs them. Usually what this reports is yet another thing using yet another query parameter for analytics tracking, like Facebook and their 'fbclid=...' parameter (cf), which is a good part of why I no longer recommend being cautious in your web app. But every so often something else turns up, something that looks a lot like people probing for vulnerable web applications.

Recently, I've seen moderate number of requests here with some interesting invalid query parameters tacked on the end, for example:

GET /~cks/space/blog/tech/?mid=qna&act=dispBoardWrite

The bad query parameters are the 'mid=qna&act=dispBoardWrite' bit.

Unlike normal browsers following links with bad query parameters, the IPs requesting these URLs don't go on to request my CSS or any other resources (such as a site favicon). The direct requests tend to have HTTP Referers of other pages here, and sometimes there are POST requests for URLs like '/~cks/space/blog/tech/index.php' with a HTTP Referer of a page here that includes these query parameters.

Some casual Internet searches suggest that this may be an attempt to explode something called 'XPress Engine', which is apparently a Korean PHP based CMS (cf and related pages). On the other hand, Google has also indexed a bunch of pages with these to query parameters in them (often along with a 'page=NN' additional parameter). So my overall conclusion is that I don't really know what's under this rock.

(Over the past ten days, 29 different IPs have tried to poke me this way. A number of them have SBL listings, specifically SBL 224619, SBL 214239, and SBL 211023. It turns out that I'd already blocked all of the IP ranges from these SBL listings, so those probes weren't getting anywhere in the first place.)

Comments on this page:

Could you describe how you block SBL IP to surf your wiki?

By cks at 2019-12-15 14:09:00:

This site runs behind Apache, so I use Apache's .htaccess with a 'Deny from ...' for the relevant IP address range, which is listed in the SBL entry. I don't block all SBL-listed IP addresses, because this isn't a good idea; there are plenty of SBL listed IPs that are perfectly legitimate web browsers (including many Tor exits).

Written on 15 December 2019.
« It's unfortunately time to move away from using '/usr/bin/python'
Some pragmatics of blackbox and whitebox malware filtering »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Dec 15 01:48:08 2019
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.