BTW after the host portion of the URL everything is bogus. They are trying
variations on the URL, all bogus and only some with the encoding error. Most
are just generating 404 errors but when one caused a 400 error, which is very
rare for my site, that got my attention. There is not even a valid URL with
"accounting-service" spelled correctly in it.
Darryl Baker, GSEC, GCLD (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
4th Floor
2020 Ridge Avenue
Evanston, IL 60208-0801
darryl.ba...@northwestern.edu
(847) 467-6674 <tel:+18474676674>
On 11/1/22, 12:25 PM, "Eric Covener" <cove...@gmail.com> wrote:
On Tue, Nov 1, 2022 at 10:26 AM Darryl Philip Baker
<darryl.ba...@northwestern.edu> wrote:
>
> We are getting a poorly formed URL being requested from our servers.
Apache is returning a 400 error but I am wondering if someone is try to exploit
an issue with some version of some web server out there. Maybe a Dos attack or
worse. Anyone have a clue what is being attempted?
>
>
>
> Sketchy URL:
https://www.northwestern.edu/accounting-scrvices/Annual%252ORepothtm
It's just an encoded space, %20, that was accidentally encoded again
%25="%".
Could even be your own rewrites. The flags around escaping stuff are a
little confusing.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
