Strange entry in access log containing /RS=

Question

I have recently launched a client’s site and for the last few days and with increasing frequency I am seeing strange entries into the access log.

[28/Feb/2014:06:26:53 +0800] "GET //RS=^ADAA6U_G38x_VuWqDIVQJpBbDUsUW0- HTTP/1.1" 302 630 "http://www.domain.com.au/" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"]

and

[28/Feb/2014:06:26:54 +0800] "GET /RS=%5eADAA6U_G38x_VuWqDIVQJpBbDUsUW0- HTTP/1.1" 404 8291 "http://www.domain.com.au/" "Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36"

The domain.com.au part is the actual address of the website. I have changed it for this post.

I cannot figure out what this is trying to archieve as it’s simply setting another get variable, which would not archieve anything, unless I am wrong.

Do you think we should be concerned with these requests?
What are these requests trying to archieve?
Anything we can do to stop them?

what is your site about? If it's not too sensitive to be disclosed. Plus do you have any CMS or package installed on that site? — PatomaS, Feb 28 '14 at 06:29
@PatomaS The site is a little sensitive. The CMS system is customer built in house so should not be generating anything like this.
As extra information have seen some more connections with the following

RK=0/RS=N3luhChARYe3D3ZNSAkKO3L2gXE-

So it doesn't follow the other logs. — user3363066, Feb 28 '14 at 08:18
Is rs, rk or rc a parameter that your system accepts/uses? Did you have any Microsoft product before facing Internet before? — PatomaS, Feb 28 '14 at 08:21
@PatomaS No this is a Linux server that has never run anything MS related. As far as i can tell there is not anything that should be using those parameter, at least not from a web interface. — user3363066, Feb 28 '14 at 08:39
Then it should be fine. Still, try to block the access as recommended by Jhon — PatomaS, Feb 28 '14 at 09:36
These two requests look like they are part of the "same request/session". The first looks like a redirect (presumably as a result of a double slash correction) to the second, which issues a 404. — MrWhite, Feb 28 '14 at 12:13
I've been seeing the something similar in my Apache logs for a couple of weeks now. /RK=0/RS=T8qAjwF2cVL4LN2HFGhtWe4.lfI Generates 404s against my CMS. IPs are from all over the place. I added a regex to match against /RK=0/RS (since that is common to all the entries) in fail2ban and now drop the offending IP for a couple of days. Not sure what they're after, but tired of seeing them. — , Mar 09 '14 at 03:41
I've also had those queries, and we too run a Unix server: 69.26.184.235 - - [13/Mar/2014:15:48:29 +1100] "GET /hacker.txt/RS=^ADAfBLfrTkks8aqpoZYcZu_sC35r9c- HTTP/1.1" 404 244 They usually come after several (apparently) legitimate requests for pages that exist. I don't know what they mean, but tThe fact that apache returns a 404 is good enough for me. Our IDS has been set to reject them — , Mar 13 '14 at 06:52
Someone on xenForo reckons they've worked it out. I reckon just block them, it's bots and we don't need them. — webaware, May 13 '14 at 02:39

score 5 · Accepted Answer · answered Feb 28 '14 at 02:48

5

I couldn't find anything related to that request so if it is anything malicious it hasn't come to light yet. I also don't see how it could be used to harm your site.

Having said that, the bad guys seem to be one step ahead of us so if this request doesn't serve any useful purpose on your site I would try to block it. Even if only to keep your logs from being polluted.

I would say you should attempt to block them if possible. The two consistent parts of those request are /RS= and ADAA6U_G38x_VuWqDIVQJpBbDUsUW0 so they can be what you focus on to block them.

answered Feb 28 '14 at 02:48

John Conde

86,255
27
146
241

just a little opinion. I think they trying to attack a specific software that is taking a parameter for a regex. May be just testing the existence. The idea came because the %5e is the encoded version of '^'. Plus having a '-' at the end of the string, can make it just generate a range on the regex. Of course, not knowing the regex, we don't know if that is relevant or not. – PatomaS Feb 28 '14 at 06:27
1

Here it is another opinion. http://www.graphicline.co.za/articles/added-uri-string-rsada – cayerdis Apr 29 '14 at 15:07

score 3 · Answer 2 · edited Jun 16 '20 at 10:32

They come from web scrapers incorrectly using Yahoo! Search result. This discovery was made by @tenants at XenForo forum. They explain more of the implications of receiving these requests and how they handle them.

1. Do you think we should be concerned with these requests?

You don’t have to be concerned with these requests. They are just hallmarks of dumb bots and dumb bots wander all over the Internet. These requests are not to be identified as malicious just based on the URL, they are probably innocent.

2. What are these requests trying to archieve?

They’re trying to get the contents of the page they’re requesting. They have no special effect, they are (undesired) products of a Yahoo! Search scraping.

3. Anything we can do to stop them?

Not really, anyone is free to post whatever requests they like on the net. (At least technically. Social and legal aspects put aside.)

You can throw them away when generating reports from your logs. This is the option I chose.
Or you can try to fix the requests to succeed and not generate log entries. This is probably what most do from what I saw on the web. I see a flaw in this approach. While making their visitor’s experience better, they forget who those visitors are. Dumb bots. I don’t want dumb bots on my sites so I won’t bother to improve their experience.

If you want to fix the requests, you can do it using mod-rewrite, possibly called from .htaccess, e.g. using the code from the XenForo forum post I mentioned above:

RewriteEngine On
strange behaving bots, these are urls scraped from yahoo (botters scrapping for links, yahoo search link contain RK RS) tenants modification:
RewriteRule ^(.)RK=0/RS= /$1 [L,NC,R=301]
RewriteRule ^(.)RS=^ /$1 [L,NC,R=301]

You may have to fiddle with the regexes a bit, e.g. add an additional slash after the (.*) if your URLs don’t end with one.

original report of the nature or the requests @ XenForo forum
RewriteRule for .html/RK=0/RS=[random_string] @ Stack Overflow
.htaccess rewrite rule remove everything after RK=0/RS= @ Stack Overflow
IT Q: ” .. //RK=0/RS=foo- ” in URI @ The Blackboard (Rankexploits.com)
Web server logs containing RS=^ ? @ InfoSec Handlers Diary Blog (not very interesting)
Added URI String RS=^ADA @ Graphicline (not very interesting)

Kudos to @dman’s answer on Stack Overflow and @webaware’s comment under this question for finding the XenForo forum post.

Strange entry in access log containing /RS=

2 Answers2

1. Do you think we should be concerned with these requests?

2. What are these requests trying to archieve?

3. Anything we can do to stop them?

strange behaving bots, these are urls scraped from yahoo (botters scrapping for links, yahoo search link contain RK RS) tenants modification:

Related