Join 3,438 readers in helping fund MetaFilter (Hide)


Strange Entries in Web Server Log
February 2, 2008 10:47 PM   Subscribe

Help me understand strange entries in web server log that look like spam attacks.

A few times a day, I will see an entry in my web server log where the query string portion of the URL has been substituted with a link to another site. In other words, what is normal is this:
http://www.somesite.com/mypage.asp?ProductID=13406

Instead, I see this:
http://www.somesite.com/mypage.asp?ProductID=http%3A%2F%2Fwww.vacacionalhouse.com%2Fen%2Fimg%2Fvohe%2Fseyon%2F&Type=QF

The site referenced in the query string is pretty much something different each time I see it. But, it always looks like some spam site. I don't think this is a hack attempt. But thinking it is a "spam bot gone wild" trying to get entries into a web server's DB in the hopes that it will appear on some page somewhere. If it helps, the referer field is not present in the request and the IP address of the requestor changes from day to day.

What do you think is going on? Thanks!
posted by GregWithLime to Computers & Internet (6 answers total) 2 users marked this as a favorite
 
Is there an HTML form on your page for which
1) action = mypage.asp
2) ProductID is an input (possibly hidden) ?

I've experience spam bots that crawl around until they find a form (any form), spam all of the fields with their spam-url, and then click "submit".

They're hoping the spam-url will appear somewhere on your web site (e.g., in a comments forum), thereby increasing their rank with search engines.
posted by qxntpqbbbqxl at 11:03 PM on February 2, 2008


If your hypothesis was true, I'd expect a search for the passed URL to return lots of hits, and voilá.

Here's a blog entry in German that seems like it's asking the same question. An autotranslation says something about a zombie net.
posted by XMLicious at 11:11 PM on February 2, 2008


qxntpqbbbqxl, passed into the page through the query string is the ID of the product whose information I am to display. The page is called from another page where I list products. So, no form is in use.

I too often see what you are talking about where all the fields on a form get stuffed with a spam url and/or other garbage. I think that is something similar to what is going on. Just wanted to bounce it off a few more people to make sure this isn't something more nefarious.

Whenever I step back at moments like this, I am shocked by the amount of time I have to spend defending myself against spammers and hack attempts.

Anyway, thanks for the responses. If anyone has any other thoughts, please post.
posted by GregWithLime at 11:20 PM on February 2, 2008


Here's a question about referer spam that might be relevant.
posted by loiseau at 4:04 AM on February 3, 2008


I think the spambots are doing this in the hope that your stats are publicly exposed without a password. Depending on what stats package you're using etc, that may well appear as a clickable link to their site. Google finds your stats page and sees links to their site which improves their ranking on Google.
posted by tetranz at 5:02 AM on February 3, 2008 [1 favorite]


tetranz, I see how that could be a problem. But, thankfully my site activity stats are not exposed.
posted by GregWithLime at 8:09 AM on February 3, 2008


« Older Where can I find a list of apa...   |  Can humans digest hair?... Newer »
This thread is closed to new comments.