2

TL;DR: seeing a website attack that's new to us, wondering if it is a known thing, or if it's directed at some framework that we're not using. The attack is against a site's index.php script and feeds it a trailing path (PATH_INFO) that uses components like "auth" or "clipboard" that I guess are targeted at some framework.

We have a multi-store ecommerce website, custom code mostly in PHP. Among its valid URLs are things like

https://www.example.com/directory/Jewelry/Gold/Retro

https://www.example.com/directory/Jewelry/Gold/Retro?&start=108&l=18&view=pict

for a directory of items by category

https://www.example.com/stores/foo/catalog/

https://www.example.com/stores/foo/catalog/&start=198&l=18&view=list

for an individual store

https://www.example.com/stores/foo/items/12345/Item-SEO-Slug-Goes-Here

for individual items.

Over the past few days, we've seen a flood of thousands of invalid requests from random IP address for URLs like

https://www.example.com/index.php/XXXXX/Art/directory/Antiques/Regional/directory/Jewelry/directory/Jewelry/directory/Art/directory/

https://www.example.com/index.php/XXXXX/Artists/directory/directory/directory/Vintage-Arts/stores/foo/items/12345/directory/directory/Modern/Textiles

where XXXXX is one of

  • actor
  • auth
  • clipboard
  • directory
  • function
  • misc
  • pages
  • repository
  • shop
  • user

Most of these tokens do not appear in any of our URLs. (Unless they show up coincidentally in an items' SEO slug.) The exception is "directory".

The attacking bot seems to trying for an index.php script that knows this set of verbs (which is not us), and is then adding a random bunch of valid URL fragments from our site. Though it is not using any query string or item slugs, so it is on some level "understanding" our URLs.

I'm wondering if there is some framework that uses "directory" as a top level verb, and seeing "directory" in our URLs is what got us targeted, thinking that we're using it.

It happens that our main index.php is not a general purpose router, but just loads either a desktop or mobile home page. So this was only a bit of DDOS load, which we've been able to solve by checking $_SERVER['PATH_INFO'] (which is always empty for valid requests, in our case) and immediately dropping the request rather than doing any further work.

So we've solved the issue for the moment, but I was wondering if anyone can identify this.

Improve this question
5
  • How will identifying the scanner or the potential PHP framework that might respond to these requests help you? Commented Jul 4 at 14:45
  • 1
    What is even the problem you’re trying to solve? If this is meant to be a DDoS attack, then it doesn’t sound particularly impressive, because (1) it uses invalid URLs, (2) you can easily reject the requests (you could do this even before they reach the PHP interpreter) and (3) the load seems fairly light. Or are you worried about some other kind of attack? Commented Jul 4 at 16:21
  • In general, it’s perfectly normal for a public webserver to get lots of bot traffic. Some bots simply fingerprint services, some perform mass scans for known vulnerabilities, some try fuzzing etc. Unless there’s an actual problem, It makes little sense to chase after those requests. Let’s say somebody told you this is the well-known tool foo doing the task bar. Or maybe it’s a custom script some random person wrote. Then what? Commented Jul 4 at 16:21
  • "How will identifying the scanner or the potential PHP framework that might respond to these requests help you?" 1. It will help me explain what I do to the boss! 😀 2. It's valuable to know if this is targeted at us, or random doorknob-rattling. 3. Raw curiosity. This is a new thing I have not seen before in decades of keeping websites running against floods of bot traffic. It has activated the "I wonder what's up with that" circuit in my brain. 4. This is a solved problem for now, but anything I learn about it might be useful against variants in the future. Commented Jul 4 at 18:32
  • just a note that "verbs" is usually about the method of the request. (it has nothing to do with the URL itself) Seems like they're trying to learn/test your routing and/or folder structure. What is "directory" used for? Does that imply a non-routed path to static file(s)? Commented Jul 8 at 17:13

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.