2

Some is trying to access this link (and similar ones) frequently in my site:

http://example.com/upload/RS=%5EADAJVxZ5NB.GMTgFV3EMEJX3sN22Jw-

Note that my server doesn't have an upload folder inside of it, but it allows users to upload videos. So it is redirecting the attacker to a 404 page.

So what is the attacker trying to do? And what does seeing this link mean?

AakashM
  • 249
  • 2
  • 7
My Name
  • 125
  • 7
  • 1
    My guess: doorknob rattling. I frequently get requests for `something.dll` on my CentOS site. Something has a vulnerability that's triggered by that URL, and several attackers are spinning through IP address blocks looking for victims. I hope someone will come along to tell us what vulnerability is indicated by that URL. – Bob Brown Oct 18 '14 at 22:06

1 Answers1

3

This is most likely a botnet trying the "doors" as Bob has suggested. From time-to-time, vulnerabilities appear in standard software that allows attackers access via supposedly innocuous entry points.

If you don't already have it installed, I would recommend something like fail2ban which will automatically ban source IP's that make attempts to get to vulnerable ports/locations.

fail2ban can be also configured with manual checks to filter out new vulnerabilities and annoyances.

Julian Knight
  • 7,092
  • 17
  • 23