intermittent logins POST to a bad URL

veraderock

veraderock

Member
We've noticed in our access files a large number of POST requests which appear to come from the login form, however the URL is being prepended with a forward slash, as though the base href is bad, however it isn't.

For example here is a snippet (of which we have _many_ examples) from an access log:

Code: 
###.###.###.### - - [15/Jan/2015:16:56:21 -0600] "POST /http://www.iphoneforums.net/login/login HTTP/1.0" 404 29875 "http://www.iphoneforums.net/gallery/" "Mozilla/5.0 (Windows NT 5.1; rv:33.0) Gecko/20100101 Firefox/33.0"

I've checked a variety of ways to reproduce but so far have not been able to find the "/http://..." any where in source code, however we are seeing a lot of these in the access and error logs.

Has anyone come across this or have any ideas?
 
Sort by date Sort by votes
Note that it's a HTTP 1.0 request. That is almost certainly a hint that it's actually from a bot masquerading as Firefox; the IP of the request might show that. In this case, it could just be a bot bug (a lot of them seem to have issue with the <base> tag).
 
Upvote 0 Downvote
Mike said:
Note that it's a HTTP 1.0 request. That is almost certainly a hint that it's actually from a bot masquerading as Firefox; the IP of the request might show that. In this case, it could just be a bot bug (a lot of them seem to have issue with the <base> tag).
Click to expand...

This is just 1 log line, I've just pulled the previous 11 IP's that have experienced this issue and did a reverse lookup on the IP's and none of them look very bot like. In addition, the browser tags are different on them... Safari, YaBrowser, and others. I don't think it is just a bot issue.

They are all HTTP/1.0 though, so that is a clue. Maybe these are bots just randomly mis-representing and on weird IP's....
 
Last edited:
Upvote 0 Downvote
As a counter point, I just pulled some random IPs for requests matching that format here and a bunch of them come up as heavily reported to StopForumSpam. (Multiple hundreds of entries for some IPs.)
 
Upvote 0 Downvote
Mike said:
As a counter point, I just pulled some random IPs for requests matching that format here and a bunch of them come up as heavily reported to StopForumSpam. (Multiple hundreds of entries for some IPs.)
Click to expand...

You are right. Everyone I've checked is in SFS as well. I guess you nailed it ;) Bad bot software...

Thanks for your help Mike!
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

Bonsai Coder
  • Question Question
XF 1.4 System keeps trying to send email to a bad account...
Replies
2
Views
582
Mike
Mike
Top Bottom