What do you think is happening here?

LPH

LPH

Well-known member
The error logs are filled with gibberish:

Code: 
[Tue Feb 05 20:13:33 2013] [error] [host www.retainingteachers.com] [client 5.158.234.33] (36)File name too long: access to /community/++++++++++++++++++++++++++++++++++++++Result:+\xe4\xe0\xed\xe​d\xfb\xe9+IP+\xe7\xe0\xe1\xe0\xed\xe8\xeb\xe8+-+\xec\xe5\xed\xff\xe5\xec​+\xef\xf0\xee\xea\xf1\xe8+1+\xf0\xe0\xe7;+\xe8\xf1\xef\xee\xeb\xfc\xe7\x​f3\xe5\xec+\xef\xf0\xee\xea\xf1\xe8+187.93.77.235:3128;+GET-\xf2\xe0\xe9​\xec\xe0\xf3\xf2\xee\xe2+30;+\xe7\xe0\xf0\xe5\xe3\xe8\xf1\xf2\xf0\xe8\xf​0\xee\xe2\xe0\xeb\xe8\xf1\xfc;+\xe2\xee\xf8\xeb\xe8;+\xed\xe5+\xed\xe0\x​f8\xeb\xee\xf1\xfc+\xf4\xee\xf0\xec\xfb+\xe4\xeb\xff+\xee\xf2\xef\xf0\xe​0\xe2\xea\xe8;+\xe2\xee\xe7\xec\xee\xe6\xed\xee,+\xf0\xe5\xe3\xe8\xf1\xf​2\xf0\xe0\xf6\xe8\xff+\xed\xe5+\xf3\xe4\xe0\xeb\xe0\xf1\xfc+(\xe2\xfb\xf​1\xeb\xe0\xed+\xea\xee\xe4+\xe0\xea\xf2\xe8\xe2\xe0\xf6\xe8\xe8+/+\xe8\x​f1\xef\xee\xeb\xfc\xe7\xf3\xe5\xf2\xf1\xff+\xe4\xee\xef\xee\xeb\xed\xe8\​xf2\xe5\xeb\xfc\xed\xe0\xff+\xe7\xe0\xf9\xe8\xf2\xe0+/+\xf1\xe1\xee\xe9+​\xe2+\xf0\xe0\xe1\xee\xf2\xe5+\xf4\xee\xf0\xf3\xec\xe0+/+...); failed, referer: http://www.retainingteachers.com/community/+++++++++++++++++++++++++++++​+++++++++Result:+%E4%E0%ED%ED%FB%E9+IP+%E7%E0%E1%E0%ED%E8%EB%E8+-+%EC%E5​%ED%FF%E5%EC+%EF%F0%EE%EA%F1%E8+1+%F0%E0%E7;+%E8%F1%EF%EE%EB%FC%E7%F3%E5​%EC+%EF%F0%EE%EA%F1%E8+187.93.77.235:3128;+GET-%F2%E0%E9%EC%E0%F3%F2%EE%​E2+30;+%E7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%EB%E8%F1%FC;+%E2%EE%F8​%EB%E8;+%ED%E5+%ED%E0%F8%EB%EE%F1%FC+%F4%EE%F0%EC%FB+%E4%EB%FF+%EE%F2%EF​%F0%E0%E2%EA%E8;+%E2%EE%E7%EC%EE%E6%ED%EE,+%F0%E5%E3%E8%F1%F2%F0%E0%F6%E​8%FF+%ED%E5+%F3%E4%E0%EB%E0%F1%FC+%28%E2%FB%F1%EB%E0%ED+%EA%EE%E4+%E0%EA​%F2%E8%E2%E0%F6%E8%E8+/+%E8%F1%EF%EE%EB%FC%E7%F3%E5%F2%F1%FF+%E4%EE%EF%E​E%EB%ED%E8%F2%E5%EB%FC%ED%E0%FF+%E7%E0%F9%E8%F2%E0+/+%F1%E1%EE%E9+%E2+%F​0%E0%E1%EE%F2%E5+%F4%EE%F0%F3%EC%E0+/+...%29;


What do you think is the attempt because clearly this is not a human typing into a browser?
 
I believe it's a bot, I see the same entries on a few vB sites. Either a spam bot or other type...
 
Thanks. I was hoping someone might explain why the string formation. Spam has started to increase - so it's probably tied to that too.
 
1 of 2 things....

If you see this "here or there", but not always and often.... Exploit search. Most likely answer and nothing to worry about. :)

If you see this A LOT (1 - 10 sources, but not long term).... Possible early ddos attack.

Your server will use Y amount of resources the deeper you go into a directory structure / path . And uses Y amount to redirect you from X (being it real or not) to a standard 404 page vs a simple hit.

A small group will hit you with 1 - 10 locations (testing the water). If your site seems "favorable" they'll add you to their target list. Such people like to hit sites not 1 at a time, but a few dozen at a time. And when they return..... It will not be 1 - 10 locations (a lot more than that).
 

Similar threads

Deepmartini
Add-on Is Anyone Using The Xenomorph Framework? What Do You Think?
Replies
2
Views
1K
Shelley
Shelley
Back
Top Bottom