Odd web server requests that look like truncation and concatenation, possibly IE-related

Question

We're logging a few errors consistently that we don't know the cause of. The user agent string indicates this is almost always, if not always, Internet Explorer. (More than 90%, the remaining either have a bogus user agent string or none at all.) That seems too high to be merely coincidence. Here's an example:

2012-04-24 15:19:18,063 [ERROR] [SiteError] Message=Exception: Illegal characters in path.
Type = System.ArgumentException
Message = Illegal characters in path.
Data:
    Page URL = /combres.axication();'></span>        </div>                <form name=
    CallerIP = XXX
    Parameters = 
        CONTENT_LENGTH=0
        HTTPS=off
        LOCAL_ADDR=XXX
        PATH_INFO=/combres.axication();'></span>        </div>                <form name=
        PATH_TRANSLATED=C:\inetpub\site\combres.axication();'><\span>        <\div>                <form name=
        REMOTE_ADDR=XXX
        REMOTE_HOST=XXX
        REQUEST_METHOD=GET
        SCRIPT_NAME=/combres.axication();'></span>        </div>                <form name=
        SERVER_NAME=XXX
        SERVER_PORT=90
        SERVER_PORT_SECURE=0
        SERVER_SOFTWARE=Microsoft-IIS/7.5
        URL=/combres.axication();'></span>        </div>                <form name=
        HTTP_CACHE_CONTROL=max-age=259200
        HTTP_VIA=1.1 proxy1 (squid/3.0.STABLE19)
        HTTP_ACCEPT=*/*
        HTTP_ACCEPT_LANGUAGE=en-us
        HTTP_COOKIE=XXX
        HTTP_HOST=XXX
        HTTP_REFERER=http://www.site.com/
        HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2)
        HTTP_X_REAL_IP=XXX
        HTTP_X_FORWARDED_FOR=XXX
        HTTP_X_FORWARDED_PORT=80
        HTTP_X_FORWARDED_PROTO=http
Stack Trace:
   at System.IO.Path.CheckInvalidPathChars(String path)
   at System.IO.Path.GetExtension(String path)
   at WebApp.RequestRouterModule.context_BeginRequest(Object sender, EventArgs e) in e:\BuildAgent\work\862e5d1ddaa44908\WebApp\Modules\RequestRouterModule.cs:line 106
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Notice the requested URL. We use Combres, and the normal link is /combres.axd/. This request indicates that the page was truncated at "/combres.ax" and then concatenated with markup from elsewhere. This page request is a typical example, but not unique.

Does anyone know what's going on here?

Answer 1

I've seen other but similar requests in my IIS logfiles. I've noticed that most seem to be related to javascript code present on pages on the website. E.g. in your case, a page on your website most likely contains the javascript code combres.axication();. My only explanation for these weird requests is that they come from some kind of broken bot that has difficulty finding proper URL's.