3

While looking through the logs for my web server, for a web site I wrote, I've noticed a lot of queries are being made twice, first as I expect then followed again within a second with 'A=0 appended to each argument.

The A=0 is not part of any code I wrote for the web site, so it is being added by the remote browser and/or user.

Examples:

"GET /xxx.cgi?id=1160 HTTP/1.1"
"GET /xxx.cgi?id=1160'A=0 HTTP/1.1"

and

"GET /list.cgi?anon=true&list=abb HTTP/1.1"
"GET /list.cgi?anon=true'A=0&list=abb HTTP/1.1"
"GET /list.cgi?anon=true&list=abb'A=0 HTTP/1.1"

This happens frequently and regularly and from many different sources, so I don't think it's a hack attempt, but it does make me wonder what could be causing it.

Does anyone know why this is happening?

The browsers are logged as many variation of Mozilla and Chrome, and IPs are scattered around the world.

simpleuser
  • 135
  • 8
  • No comment on why they're duped, but I often add a=0 to queries when I'm dynamically adding parameters - that way I can always add '¶m=' without having to worry about whichever I dynamically add first needing a ? instead of &. – Numeron Oct 10 '16 at 00:45
  • Thanks for the suggestion; I clarified in the question that I wrote the web site code and it is definitely being added by the remote user/browser. – simpleuser Oct 10 '16 at 01:30

1 Answers1

6

There is a very good chance that this is a botnet looking for SQL injection. Even if the bot's goal isn't SQL injection, it will get a ton of SQL errors by adding 'A=0 to parameter names. The first attack string is shown below:

"GET /xxx.cgi?id=1160'A=0 HTTP/1.1"

If the ID parameter is used in a query, it will produce a syntax error:

select * from `table` where id = '1160'A=0'

The above query has unbalanced single quotes which may produce an error message. Adding A=0 will never be valid syntax because there will always be an odd number of single-quotes, and there is no comment terminator. This maybe by design, because it is a string that always errors.

rook
  • 47,238
  • 10
  • 96
  • 182
  • Ignoring the fact that the web site doesn't trust user input and so none of the attempts have any effect whatsoever including not causing any errors, it still seems strange to me that the attempts are coming from so many different IP addresses and so regularly but not consistently. I had at first considered sql injection, but now am wondering if there is some strange browser plugin doing it, etc. If it was an sql injection attempt, it's being made repeatedly against the most common urls, with no effect, so why keep trying? – simpleuser Oct 10 '16 at 02:43
  • To clarify: no system errors. "ID 1160'A=0 not found" is not considered an error to me, in this context. – simpleuser Oct 10 '16 at 02:46
  • @user9999999 looks like a botnet to me – rook Oct 10 '16 at 04:14
  • I don't know if i disagree...but why would they expend so many resources to keep trying the same dumb, non-working attempts that have failed over and over? – simpleuser Oct 10 '16 at 04:57
  • 1
    because their algorithm is not pretty / optimal / effective, and creates redundant results. In the end, with their technique, they will still be able to identify potential targets and leverage those results. If it is a malicious browser plugin that does it, the bad actors don't use any resource at all for each request, since the clients do it. In such a case I guess the plugin would report to the mothership when a relevant error message arises. Please note that it would not be very smart (basic algorithm) to retest the same URL's, because their technique is easily discovered (see your case) – niilzon Oct 10 '16 at 09:21