BTW after the host portion of the URL everything is bogus. They are trying variations on the URL, all bogus and only some with the encoding error. Most are just generating 404 errors but when one caused a 400 error, which is very rare for my site, that got my attention. There is not even a valid URL with "accounting-service" spelled correctly in it. Darryl Baker, GSEC, GCLD (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 4th Floor 2020 Ridge Avenue Evanston, IL 60208-0801 darryl.baker@xxxxxxxxxxxxxxxx (847) 467-6674 <tel:+18474676674> On 11/1/22, 12:25 PM, "Eric Covener" <covener@xxxxxxxxx> wrote: On Tue, Nov 1, 2022 at 10:26 AM Darryl Philip Baker <darryl.baker@xxxxxxxxxxxxxxxx> wrote: > > We are getting a poorly formed URL being requested from our servers. Apache is returning a 400 error but I am wondering if someone is try to exploit an issue with some version of some web server out there. Maybe a Dos attack or worse. Anyone have a clue what is being attempted? > > > > Sketchy URL: https://www.northwestern.edu/accounting-scrvices/Annual%252ORepothtm It's just an encoded space, %20, that was accidentally encoded again %25="%". Could even be your own rewrites. The flags around escaping stuff are a little confusing. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx