Strange GETs in logs
Ok. This is not ColdFusion related but it's a strange one and I'm hoping someone has seen this before. I have a site that hosts multi-thousands of customers per day securely logging in, doing their stuff, then logging out. I have one customer where my logs show some strange GET requests with every page they request while on our host. Something is requesting a "NULL" page with strange parameters that I have not found in our code anywhere. Here is a sample:
https://www.mydomain.com:443/null?s0=&l=45&p=72&aoi=1360268999&s3=&s2=&s1=
https://www.mydomain.com:443/null?s0=&l=45&p=72&aoi=1360268999&s3=&s2=&s1=&_=1363xxxxxxxx1225
https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&aoi=1360268999
https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&aoi=1360268999&_=1363xxxxxxxx1241
https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72
https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&_=1363xxxxxxxx4710
https://www.mydomain.com:443/null?p=72&aoi=1360268999&s3=&s2=&s1=&s0=&l=45&_=1363xxxxxxxx8304
https://www.mydomain.com:443/null?p=72&aoi=1360268999&s3=&s2=&s1=&s0=&l=45
https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&aoi=1360268999
https://www.mydomain.com:443/null?s3=&s2=&s1=&s0=&l=45&p=72&aoi=1360268999&_=1363xxxxxxxx0695
This has been happening for several weeks and like I said, only a single customer. My guess is something is making these as AJAX requests and possibly malware. Problems similar to this in the past I have been able to find references on the Internet referring to possible malware on the client PC. But this one I cannot find any reference to. Has anyone seen anything like this in your logs or does anyone have any ideas what could be generating these requests?
AdChoices