• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

intermittent logins POST to a bad URL

#1
We've noticed in our access files a large number of POST requests which appear to come from the login form, however the URL is being prepended with a forward slash, as though the base href is bad, however it isn't.

For example here is a snippet (of which we have _many_ examples) from an access log:

Code:
###.###.###.### - - [15/Jan/2015:16:56:21 -0600] "POST /http://www.iphoneforums.net/login/login HTTP/1.0" 404 29875 "http://www.iphoneforums.net/gallery/" "Mozilla/5.0 (Windows NT 5.1; rv:33.0) Gecko/20100101 Firefox/33.0"
I've checked a variety of ways to reproduce but so far have not been able to find the "/http://..." any where in source code, however we are seeing a lot of these in the access and error logs.

Has anyone come across this or have any ideas?
 

Mike

XenForo developer
Staff member
#2
Note that it's a HTTP 1.0 request. That is almost certainly a hint that it's actually from a bot masquerading as Firefox; the IP of the request might show that. In this case, it could just be a bot bug (a lot of them seem to have issue with the <base> tag).
 
#3
Note that it's a HTTP 1.0 request. That is almost certainly a hint that it's actually from a bot masquerading as Firefox; the IP of the request might show that. In this case, it could just be a bot bug (a lot of them seem to have issue with the <base> tag).
This is just 1 log line, I've just pulled the previous 11 IP's that have experienced this issue and did a reverse lookup on the IP's and none of them look very bot like. In addition, the browser tags are different on them... Safari, YaBrowser, and others. I don't think it is just a bot issue.

They are all HTTP/1.0 though, so that is a clue. Maybe these are bots just randomly mis-representing and on weird IP's....
 
Last edited:

Mike

XenForo developer
Staff member
#4
As a counter point, I just pulled some random IPs for requests matching that format here and a bunch of them come up as heavily reported to StopForumSpam. (Multiple hundreds of entries for some IPs.)
 
#5
As a counter point, I just pulled some random IPs for requests matching that format here and a bunch of them come up as heavily reported to StopForumSpam. (Multiple hundreds of entries for some IPs.)
You are right. Everyone I've checked is in SFS as well. I guess you nailed it ;) Bad bot software...

Thanks for your help Mike!