Attack or Bad Link? Your Guess?
Reviewing my logs, I found this odd request:
GET /infocon.htmlppQ/detail/20130403164740572kode-til-boozt-10/basura-que-va-acumulando/_medium=twittersideIM&lang=en&brand=nokiaokseen-fortumin-joensuun-voimalaitokselle/)&utm_term=inspirationfeedistan%20Tehreek-e-Insaf)%e0%b9%89%e2%86%90_%c3%96k%e2%98%bc%e0%b9%84%e0%b8%a1%e0%b9%88%e0%b9%84%e0%b8%8a%e0%b9%88%e2%99%a5His%c3%b6%e2%86%94ll%e0%b8%95%e0%b9%88%e0%b8%81%e0%b9%89%c3%b6%e0%b8%a1%e0%b8%b1%e0%b9%88%e0%b8%a2%e0%b8%94%e0%b9%89%e0%b8%b2E%e2%86%90n%c3%96%e2%86%90m%c3%96neY%c2%ae%e2%97%84%e2%97%84--html26eu1=0&eu2=0&x=50&y=16&dataPartenzaDa=20121001&dataPartenzaA=20121010&orderBy=Prezzo HTTP/1.0" 302 154 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)" "2a03:2880:20:4ff7::"
It does look like a valid request from Facebook. "facebookexternalhit" is used by Facebook to screen links people post for malware. However, the link "doesn't make sense". Doesn't really look like an attack to me, just weird. Any ideas how this may happen?
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
Apr 7th 2014
1 decade ago
"brand=nokiaokseen" -- I believe it reads "Nokia Ok Seen" -- as in a Nokia device?
"orderBy=Prezzo" -- may refer to a UK-based pizza place: https://en-gb.facebook.com/loveprezzo
"%e0%b9%89%e2%86%90_%c3%96k%e2%98%bc%e0%b9%84%e0%b8%a1%e0%b9%88%e0%b9%84%e0%b8%8a%e0%b9%88%e2%99%a5His%c3%b6%e2%86%94ll%e0%b8%95%e0%b9%88%e0%b8%81%e0%b9%89%c3%b6%e0%b8%a1%e0%b8%b1%e0%b9%88%e0%b8%a2%e0%b8%94%e0%b9%89%e0%b8%b2E%e2%86%90n%c3%96%e2%86%90m%c3%96neY%c2%ae%e2%97%84%e2%97%84" -- equates to " ??_Ök????????Hisö?ll????ö???????E?nÖ?mÖneY®??" (via urldecode)
EDIT: The character encoding on my last point doesn't really hold up here on the forums, but essentially it's a bunch of fancy font symbols which might actually form words (but I can't read them) where the "?" marks are displayed.
Anonymous
Apr 8th 2014
1 decade ago
Anonymous
Apr 8th 2014
1 decade ago
2a03:2880::/32 belongs to Facebook.
Looks like advertisements on some Facebook account. Also, mention of Tehreek-e-Insaf is a pakistan political party.
looking at the GET request it is indeed suspicious but no flags that suggests attack or an anomaly.
Anonymous
Apr 9th 2014
1 decade ago