3 Replies Latest reply on Mar 18, 2013 3:41 PM by Ashish Todon

    Strange GETs in logs

    Steve Sommers Level 4

      Ok. This is not ColdFusion related but it's a strange one and I'm hoping someone has seen this before. I have a site that hosts multi-thousands of customers per day securely logging in, doing their stuff, then logging out. I have one customer where my logs show some strange GET requests with every page they request while on our host. Something is requesting a "NULL" page with strange parameters that I have not found in our code anywhere. Here is a sample:

       

      https://www.mydomain.com:443/null?s0=&l=45&p=72&aoi=1360268999&s3=&s2=&s1=

      https://www.mydomain.com:443/null?s0=&l=45&p=72&aoi=1360268999&s3=&s2=&s1=&_=1363xxxxxxxx1 225

      https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&aoi=1360268999

      https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&aoi=1360268999&_=1363xxxxxxxx1 241

      https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72

      https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&_=1363xxxxxxxx4710

      https://www.mydomain.com:443/null?p=72&aoi=1360268999&s3=&s2=&s1=&s0=&l=45&_=1363xxxxxxxx8 304

      https://www.mydomain.com:443/null?p=72&aoi=1360268999&s3=&s2=&s1=&s0=&l=45

      https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&aoi=1360268999

      https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&aoi=1360268999&_=1363xxxxxxxx0 695

       

      This has been happening for several weeks and like I said, only a single customer. My guess is something is making these as AJAX requests and possibly malware. Problems similar to this in the past I have been able to find references on the Internet referring to possible malware on the client PC. But this one I cannot find any reference to. Has anyone seen anything like this in your logs or does anyone have any ideas what could be generating these requests?

        • 1. Re: Strange GETs in logs
          Ashish Todon Level 1

          Hi,

          Few days back i find same issue it was js code which was creating problem. I was using Jquery datatable and it sent one extra null request every time. But not confident in your case because only for single user. Still Please check if your are using any type of plugin in your app. Which might be used by that user only.

          • 2. Re: Strange GETs in logs
            Steve Sommers Level 4

            Interesting. We do use jquery and jquery-ui. Maybe the customer simply needs to empty the browser cache?

            • 3. Re: Strange GETs in logs
              Ashish Todon Level 1

              no not really let me give you my situation and my fix.  I my case i was using jquery-ui 1.9.2 tabs which was doing sever side calls instead i was using it for client side feature only. It generally happens only onload.

               

              My fix

              $(".tabs").tabs({

                      "show": function (event, ui) {

                             var oTable = $('div.dataTables_scrollBody > table', ui.panel).dataTable();

                          if (oTable.length > 0) {

                              oTable.fnAdjustColumnSizing();

                              $(".tabs div.dataTables_scroll").css({

                                  "display": "none",

                                  "visibility": "visible"

                              }).show();

                          }

                      },

                      //I added this attribute for preventing tab's server side call

                      beforeLoad: function( event, ui ) {

                          ui.jqXHR.abort();

                      }

                  });

               

              This problem arise when i upgraded my jquery-UI to 1.9