BTW after the host portion of the URL everything is bogus. They are trying variations on the URL, all bogus and only some with the encoding error. Most are just generating 404 errors but when one caused a 400 error, which is very rare for my site, that got my attention. There is not even a valid URL with "accounting-service" spelled correctly in it.
Darryl Baker, GSEC, GCLD (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
4th Floor
2020 Ridge Avenue
Evanston, IL 60208-0801
darryl.baker@xxxxxxxxxxxxxxxx
(847) 467-6674 <tel:+18474676674>
On 11/1/22, 12:25 PM, "Eric Covener" <covener@xxxxxxxxx> wrote:
On Tue, Nov 1, 2022 at 10:26 AM Darryl Philip Baker
<darryl.baker@xxxxxxxxxxxxxxxx> wrote:
>
> We are getting a poorly formed URL being requested from our servers. Apache is returning a 400 error but I am wondering if someone is try to exploit an issue with some version of some web server out there. Maybe a Dos attack or worse. Anyone have a clue what is being attempted?
>
>
>
> Sketchy URL: https://www.northwestern.edu/accounting-scrvices/Annual%252ORepothtm
It's just an encoded space, %20, that was accidentally encoded again %25="%".
Could even be your own rewrites. The flags around escaping stuff are a
little confusing.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|