Malicious Probes?

  • Resolved svacontact

    (@svacontact)


    9 years, 4 months ago

    First, nice plugin! It suits my needs almost perfectly. Second, I’m starting to see an increase in probes using the following query string:

    GET /?SimpleHistoryGuid=XXXX

    Of course these come from IP addresses that should not be using the site for any reason. When I test this string when not logged in, I am routed to the site home page, which is public, so that is not a big issue other than server resources. I would prefer to just reject these, but they are coming from two many IP address to blacklist. Any idea what they may be after? Thanks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Pär Thernström

    (@eskapism)

    9 years, 4 months ago

    That query string is used when someone is trying to view the rss feed of the history. Have you, or perhaps some other in your team, added the link to a RSS reader service somewhere?

    Thread Starter svacontact

    (@svacontact)

    9 years, 4 months ago

    I did enable RSS for a brief time, but only for myself and shared with no one. I have since turned this off completely, but am still seeing (failed) attempts in the log files. These attempts are totally aware of the “secret” string. Is it possible that the default secret string is not random?

    Thread Starter svacontact

    (@svacontact)

    9 years, 3 months ago

    Thanks for responding. I think I may have resolved this. It turns out that the RSS reader app I was briefly using makes it rather difficult to permanently and completely remove a feed and is relentless in continuing to try to read it (even if you delete the app and all of its data). It doesn’t help that the documentation is not very accurate. Compounding this is that the RSS requests come from multiple IPs at least some of which are behind proxy servers. Hopefully this is closed.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Malicious Probes?’ is closed to new replies.

Tags