1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

intermittent logins POST to a bad URL

Discussion in 'XenForo Questions and Support' started by veraderock, Jan 15, 2015.

  1. veraderock

    veraderock Member

    We've noticed in our access files a large number of POST requests which appear to come from the login form, however the URL is being prepended with a forward slash, as though the base href is bad, however it isn't.

    For example here is a snippet (of which we have _many_ examples) from an access log:

    ###.###.###.### - - [15/Jan/2015:16:56:21 -0600] "POST /http://www.iphoneforums.net/login/login HTTP/1.0" 404 29875 "http://www.iphoneforums.net/gallery/" "Mozilla/5.0 (Windows NT 5.1; rv:33.0) Gecko/20100101 Firefox/33.0"
    I've checked a variety of ways to reproduce but so far have not been able to find the "/http://..." any where in source code, however we are seeing a lot of these in the access and error logs.

    Has anyone come across this or have any ideas?
  2. Mike

    Mike XenForo Developer Staff Member

    Note that it's a HTTP 1.0 request. That is almost certainly a hint that it's actually from a bot masquerading as Firefox; the IP of the request might show that. In this case, it could just be a bot bug (a lot of them seem to have issue with the <base> tag).
  3. ekool

    ekool Member

    This is just 1 log line, I've just pulled the previous 11 IP's that have experienced this issue and did a reverse lookup on the IP's and none of them look very bot like. In addition, the browser tags are different on them... Safari, YaBrowser, and others. I don't think it is just a bot issue.

    They are all HTTP/1.0 though, so that is a clue. Maybe these are bots just randomly mis-representing and on weird IP's....
    Last edited: Jan 15, 2015
  4. Mike

    Mike XenForo Developer Staff Member

    As a counter point, I just pulled some random IPs for requests matching that format here and a bunch of them come up as heavily reported to StopForumSpam. (Multiple hundreds of entries for some IPs.)
  5. ekool

    ekool Member

    You are right. Everyone I've checked is in SFS as well. I guess you nailed it ;) Bad bot software...

    Thanks for your help Mike!

Share This Page