I've been seeing some odd traffic in the logs for a web-application (Apache) that I'm wondering about, and I'm hoping that someone here has seen this before.
The raw requests were variations of:
http://[site]/Ajax/Basket/Add/e7199c8c-91a0-11e3-9f97-001c42f03a04/function%20()%20%7B%20%20%20%20var%20what,%20a%20=%20arguments,%20L%20=%20a.length,%20ax;%20%20%20%20while%20(L%20&&%20this.length)%20%7B%20%20%20%20%20%20%20%20what%20=%20a%5B--L%5D;%20%20%20%20%20%20%20%20while%20((ax%20=%20this.indexOf(what))%20!==%20-1)%20%7B%20%20%20%20%20%20%20%20%20%20%20%20this.splice(ax,%201);%20%20%20%20%20%20%20%20%7D%20%20%20%20%7D%20%20%20%20return%20this;%7D
which decodes to what looks like a JavaScript function to glom onto all of the data returned:
function() { var what, a = arguments, L = a.length, ax; while (L && this.length) { what = a[--L]; while ((ax = this.indexOf(what)) !== -1) { this.splice(ax, 1); } } return this; }
I've tracked down the IP-addresses for several of them, and they are originating from a few different sources:
- 107.223.168.139 (AT&T Internet Services);
- Various 10...* (internal corporate network);
- One external IP for the corporate network;
- A client network;
- 199.91.135.140 (Bluecoat Systems, Inc.); and
- 98.30.221.237 (Road Runner)
This feels like it could be the start of an exploit-attempt, though I'm not sure what useful information would be gleaned, since the response is nothing more than a JSON-structure error-details packet:
{ "Details":"Traceback (most recent call last):\n File \"/var/www/[application]-client/index.py\", line ####, in _AjaxResponder\n '%s could be found' % ( resourceId ) )\nRuntimeError: No resource with an id of function () { var what, a = arguments, L = a.length, ax; while (L && this.length) { what = a[--L]; while ((ax = this.indexOf(what)) !== -1) { this.splice(ax, 1); } } return this;} could be found\n", "Error":"RuntimeError:No resource with an id of function () { var what, a = arguments, L = a.length, ax; while (L && this.length) { what = a[--L]; while ((ax = this.indexOf(what)) !== -1) { this.splice(ax, 1); } } return this;} could be found" }
I don't see any significant risks at this point, but found myself wondering if anyone else has encountered this, or sees anything to be concerned with?