0

I've got some errors showing up in my site logs where some bots are trying to access URLs with strange GET params.

# normal url
example.com?foo=123456

# odd url triggering integer error by bots
example.com?foo=1234562121121121212.1

I've got the foo variable being passed into a query, which is using query parameters to expect an integer, so it fails when the decimal is passed in.

I'm getting a few of these a day, from a few different bots I don't recognise - these words are appearing in the user agent string:

EnergyPlus, InfoPath, iOpus, iebar, elertz

I've done a git grep of all the repos on the server for that number 2121121121212.1 and I can't find it.

As it seems to be multiple bots doing it, it seems like a strange bug in my code, or is it an obvious hacking attempt or some sort of probe to trigger a numeric overflow of some kind?

Pete
  • 293
  • 1
  • 5
  • 20
  • 1
    Do a Google search for "2121121121212.1", and you'll see this is extremely common. I don't know what the goal is, but I block bots that add this in the querystring. – Rick May 17 '18 at 12:19

1 Answers1

0

This is just the internet's wild west probing your system for vulnerabilities. The classic way to deal with this is to install fail2ban and configure it to monitor your error logs and ban IPs as appropriate.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • But how is it probing, just looking to see what happens? it just seems like an odd number, why not just 1s, why not fully random? I can see your point, I was just hoping for a "ah yes, 2121121121212.1 that classic number means..." but I'm probably being too hopeful. fail2ban is a good call – Pete Mar 13 '17 at 10:43
  • I agree it's probably something probing... if anyone else can shed additional light on the crawler's choice of number I'd appriciate it, it seems too structured – Pete Mar 14 '17 at 09:40