4

I am getting dozens of 404 errors on my site that are requests for gif's with apparently random names, like 4273uaqa.gif and 5pwowlag.gif.

I see that most of them are coming from one user. I assume something is happening in the background on her machine without her knowledge -- a malware thing on the client.

Have you seen this behavior before, and do you know what sort of malware might cause it?

Would love to advise my customer that s/he has an issue. I'd also like to stop getting these 404 reports.

(reposted from main Stack Overflow)

Matt Sherman
  • 453
  • 2
  • 7
  • An unscientific observation is that the client seems to be IE7 most often...and I wonder if the Facebook button that I've added to the site is contributing to the problem. – Matt Sherman Aug 29 '10 at 20:17

2 Answers2

5

It's new crimeware related to exploiting facebook.

eg,

<script>
function fbs_click() {
u=location.href;
t=document.title;
window.open('http://www.facebook.com/sharer.php?u='+encodeURIComponent(u)+'&t='+encodeURIComponent(t),'sharer','toolbar=0,status=0,width=626,height=436');
return false;
}
</script>
<a href="http://www.facebook.com/share.php?u=<url>" onclick="return fbs_click()" target="_blank"><img src="http://b.static.ak.fbcdn.net/rsrc.php/zAB5S/hash/4273uaqa.gif" alt="" /></a>

They're looking for some facebook images that are hashed names for stuff. If you look at that link it's the same namesake as a facebook gif. The crimeware is poorly written.

edit: it may not all be crimeware, just cruddy browser plugins. At any rate, more of these file names are on facebook dev sites. http://forum.developers.facebook.net/viewtopic.php?pid=254475

Jeff Atwood
  • 13,932
  • 18
  • 64
  • 79
Incognito
  • 1,332
  • 1
  • 10
  • 21
2

Google appears to be aware of a few similar complaints.

danlefree
  • 12,838
  • 4
  • 42
  • 59