Question for the IT literate. I’ve been seeing lots of bots hitting uri’s that would ordinarily resolve, but have this tacked on ‘//RK=0/RS=foo-‘ where ‘foo’ is some random jumble of characters. Examples,
../musings/2013/on-the-consensus//RK=0/RS=wj9nLGk9RY66Tpxydd4skAav064-
../musings/2013/more-on-scienceblogs-traffic//RK=0/RS=BDZSqlD_sJLQ5osghamRWnwtF.0-
../musings/2013/more-on-scienceblogs-traffic//RK=0/RS=cIWLdS1kr7VeaLlAV2vNJtonS_U-
../musings/2013/more-on-scienceblogs-traffic//RK=0/RS=w6AkQpooJ4f09dJRhoo_ei2XOyU-
../musings/2013/more-on-scienceblogs-traffic//RK=0/RS=K6a7mdZpS1ZUIyFxYsK5RCVxCGM-
There are tons and tons of these lately with the number growing over time. They ask for various addresses– often the same ‘base’ address a few times in a row. The vast majority come from server farms, vpns, proxies of various sorts and would be blocked by signatures in ZBblock. The remaining are sufficiently distinctive to be easy to block and they are.
I have a theory that these are mostly ‘bots’ on ‘infected servers’ but that’s not my question.
Here’s the question: I was wondering if anyone knows what the heck the bot is trying to do? Is it looking for a particular vulnerable software with an address that contains these sorts of strings? If yes, which? I’m mostly just curious, but if these present some sort of actual danger, I’d like to know that too.
UpdateApril 22, 2014
Turns out you can write a page rule to cause Cloudflare to forward these elsewhere keeping them off one’s own site Alas, I can’t seem to forward to ‘nowhere’. So I forwarded to Google who probably won’t even notice the ‘bad bot’ traffic (or who has the resources to deal with them.) The other alternative would be to forward them to some uri that does not exist. Or possibly an SEO uri that generates prodigious amounts of bot traffic? (e.g. https://www.majestic12.co.uk/)?
It’s some shoddy fishing expedition looking for HTTP returns that might be exploited.
Easy to quash:
http://stackoverflow.com/questions/22761208/htaccess-rewrite-rule-remove-everything-after-rk-0-rs
Or, just move this blog to wordpress.com and don’t worry about it, like I don’t.
Hi Anthony,
I’d seen that page. I know how to block it. The thing is that page doesn’t say they’ve figured out exactly what it is. It’s been around in increasing levels over time. I know how to block it… but I’m curious as heck about what the heck it is really trying to do.
I can’t think of anything strings like that would be used to attack, but I have noticed a couple sites seem to have been infected with something related to them. One of the first things I noticed about the requests they often seem to request directories which don’t exist. Investigating that angle, I came across a few sites who have directories that don’t seem to fit the site. The cases I found were all short names, case-sensitive and appear not to have links to them anywhere on the site. They also convert any string after them into a search, pulling up results from the site that match them. However, instead of showing the normal search box above the results, the returned pages display a short blurb the search string and some other text intermixed. They also change the title of the page to insert the search query.
That said, I don’t know if the infected sites I found are actually linked to the hits you’re seeing. It may just be that the bots hitting you sometimes hit sites infected by something else and get “logged” because of the infected sites treating the bots’ requests as searches.
I do know the sites I found are connected via the same thing though. My first guess is they share the same CMS, but hopefully I’ll know more later today when I have more time to look into this.
Bots aren’t viruses, I know.
One of the things lots (edit: some?) of computer viruses do that isn’t immediately intuitive is to write a signature of sorts, so the virus can identify what’s infected and what’s not, so it doesn’t reinfect the same file a zillion times.
Maybe the bots are looking for sites that are infected with something? Just a WAG.
Mark–
It’s possible they are looking for a site that was previously infected.
The thing is: it’s actually useful to learn what they are looking for. The reason is that if they are looking for something the web adming might know that it would be best to make sure whatever that is either (a) is not there or (b) is not vulnerable.
In the event it’s looking for a server that already is infected, it would be nice to know what with and then scan a server to see if the infection is there– but the bot just isn’t finding it. Or, failing that, if it’s looking for something that is there (just at a slightly different address) it would be useful to beef it up.
This thing is hitting quite a bit.
Admittedly, it just looks like ‘bot barf’– and that’s what I thought it must be months ago. But if so…. why so many? and for so long? These attempts are a bit like the ‘timthumb.php’ type probing in frequency. That was hunting for a vulnerability.
Lucia,
Do the ‘foo’ parts repeat, or are they unique every time you see them? Could they be a hash or message digest of the requested URL?
One way to find out more might be to create something on the server to satisfy the bots request (if you can anticipate the foo), just to see how it behaves if it finds something.
Maybe create a text file that matches the foo request that says ‘Arlo says, try Alice’s restaurant.’?
Lucia: I googled those strings, thinking I might find a site that is the source or is infected. Nada. Yours is the only site with those strings.
I haven’t logged all the ‘foos’ but they at least seem to be unique and not specific to the ‘real’ part of the uri. Note that the post “./musings/2013/more-on-scienceblogs-traffic//RK=0/RS=foo-”
had three different ‘foo’ values above.
I don’t know how to anticipate the ‘foo’.
Currently, I just ban these IPs. So that specific IP will be banned for a while. I asked cloudflare on tips to ban these at cloudflare. They made a suggestion I’d already tried and which doesn’t work. So, I emailed back explaining why that solution doesn’t work.
Banning them at cloudflare isn’t ‘necessary’, but it would be sort of nice.
I don’t know what it’s all about, but if I think of anything or bump into anyone who has any ideas I’ll let you know. It’s interesting, thanks.
It is a probably an injection of some kind. BTW, It is novel, as google gives no useful answer.
Here’s a discussion about googlebots doing something sort of similar. The opinion there seems to be the bots are forcing 404 errors to see how sites handle them.
Mark Bofill,
I sometimes think some people ‘feed’ Google bad links possibly by putting those links on a page Google indexes. When I see a googlebot-specific odd thing, I write something to sort that out.
Every now and them, google does ask for the RK=0/RS=foo- thing, but it’s rare.
To give you an idea how many of these there are… more than 100 such requests between midnight last night and 8 am this morning. They don’t cause problems because they never get to the point of loading WordPress. But it’s quite a bit of ‘traffic’.
mm.
some more discussion:
http://www.graphicline.co.za/articles/added-uri-string-rsada
There’s mention of it at Stack Overflow but nobody there seems to know what the heck it is either…
Sadly my free time this afternoon has just expired. 🙁
Some mention of the “RK=0/RS” on the web. Most seem puzzled as to what it is and does. The first link has a tip to remove.
.
ttp://stackoverflow.com/questions/22761208/htaccess-rewrite-rule-remove-everything-after-rk-0-rs
.
http://webmasters.stackexchange.com/questions/58871/strange-entry-in-access-log
.
It also seems to be injected into some text on some pages. The following I found, along with a bunch of other sites with similar injections.
.
SAMSUNG GALAXY GRAND QUATTRO RK 0 RS PPLWXE9YQFIOCCXB5CMB0XVVJWU
Following up on my previous comment, I’m less convinced what I came across is related to the question raised in this topic. Still, it’s interesting. I’ll demonstrate the pattern I mentioned before. Compare these two pages:
http://www.ugraphic.net/go/brandon
http://www.ugraphic.net/go/lucia
I saw the same pattern of behavior on a number of other pages, all of which seem to use many of the same things. The most striking similarity is they have the same Disclaimer (and sometimes Privacy Policy) pages, suggesting the sites use some sort of packaged software for creating the sites. One example is:
http://www.creanie.com/to/brandon-shollenberger
Anyway, I don’t see how that would be an intended feature of those sites, but I no longer think it has to do with what this is talking about. I think this odd “feature” on those sites just produced pages with similar strings after getting similar requests as you got.
So if you see pages like:
http://www.midearen.net/rod/full-hd-nuke-girlls-photo-rk0-rs-sj51a7ipapbzck4messv4ewg4a
In search results, they probably won’t be informative.
Brandon… hmmm.. but maybe someone wrote a package where the RK=0/RS=foo- does something and that package is vulnerabiel. I so, one hopes the people with the vulnerability learn what it is!
Hmm… I went to advanced. Here are uri’s with that in them
https://www.google.com/search?hl=en&as_q=&as_epq=RK%3D0%2FRS%3D&as_oq=&as_eq=&as_nlo=&as_nhi=&lr=&cr=&as_qdr=all&as_sitesearch=&as_occt=url&safe=images&tbs=&as_filetype=&as_rights=
lucia, my guess is that’s what happened. My guess would be the strings are either payload which has been encoded in a way some package will read in an undesired (by the site owner) way. If so, I’d guess it’d be trying to submit some value (like perhaps changing an admin password) or it’d be trying to provoke servers/packages into giving information out about them.
I just didn’t see any real information about it. The thing I stumbled into was interesting, but I think it’s unrelated. If so, I couldn’t find any obvious starting points for an investigation. I assume there’s an answer to be found, but I lack either the information, skills or motivation to find it.
I did the same search lucia. I believe all the results I looked at were just pages someone had done a request through. As in, if you click on a link, you’ll see a search query in the page’s search box which has that string in it.
It doesn’t tell us much.
Brandon–
Don’t spend a huge amount of time. The purpose of asking is incase someone else has seen it and knows what it is. If a simple google search worked, I’d have found it. But it’s a bit mysterious.
Miranda
Lew is testing to see who the paranoids are, and if they attribute the attacks to individual hackers, or a conspiracy of several such hackers.
Re: Pouncer (Apr 21 19:32),
.
Or maybe he is attempting to sow the seeds of ideation on targeted skeptic websites.
when lucia gets close to the truth about Lew..
she gets distracted by a purposely meaningless intrusion attempt.
and Brandon gets sucked in to…
now. That’s conspiratorial ideation.
Mosher–
Never fear… I sent a brief question to UWA. I got a response. I have a contact… and some direction. I am writing my complaints which I think will be broken in 2 parts. One addresses Fury, one addresses Moonhoax. It will take a bit. They will not be blog posts. But the blog posts helped particularly as people have brought forwared relevant stuff I was unaware of. (The trove of Marriot stuff. Wow!)
Lucia – as expected other people are also watching Frontiers and UWA
http://www.arec.org.uk/index.asp?pageid=557440
It looks like an attempt to exploit error messages in systems that pass tokens in URIs. I don’t know what particular system this would be attacking, but I am guessing it throws a random string in http:…RS=foo, then parses the return page for any portion of foo on the hopes it is something like “error invalid identifier expected ‘bar’ got ‘foo'” then retries the page with http:…RS=bar to fake its way into a valid session.
Hi group ! Just saw these coming in today… I check for these things everyday a couple of times a day..
It appears to be a way to inject the “funky” characters into the title of a webpage. Some talk of it being WP but it looks to be infecting some other type of blog.
Using cleans it up from getting into your logs.
RewriteEngine On
RewriteRule ^(.*)RK=0/RS= /$1 [L,NC,R=301]
although if for example it is just a file aka .html/RK=0/RS=aslfksaflkasdjf
it doesn’t work.
If you do a search on Google for RK=0/RS= you will see lots of infected webpages with the “title” modified by the injection.
Regards.
R.