Anyone seen these before? Not sure if this is related to Google Analytics or UserFly running on our site or indicative of automated attacks from user machines.
The requests come from users with all user-agent strings, and from users who make legitimate requests and from trusted users. I've matched the string in a mod_rewrite rule to return "forbidden" but I would like to know where these are coming from. They come in waves, nothing for a week or more, than many many requests in one day.
The requests are for many random pages on the site and then have this odd query string appended, which varies but always looks something like:
"GET /&data=%7C%23ujnftubnq%23%3B2392714553497-%23fwfout%23%3B%5C%5E-%23efubjmt%23%3B%5C%5E-%23ujnft%23%3B%5C%5E~ HTTP/1.1"
This is (at this point) somewhat of an educated speculation (er, Scientific Wild @SS Guess), but here goes:
Something's looking for or targeting PDF's
Here is the URL Decoded query string from your example above:
Googling around for "fwfout", "efubjmt" or "ujnft" the only results that came back were PDF's.
It's hard to say if that "something" is malicious or not without knowing more about your environment. It could be something trying to search within PDF conent on your site. It could be something trying to find something to exploit, given the recent Acrobat vulnerabilities.
I also agree about pipe suspicion, that character always makes me twitch unless I type it in myself.
What kind of things do you have on your server ?
for #ujnftubnq# #efubjmt# google returned me some chinese things about resource reservation on some routers. No idea if it's relevant or not :> Just a notice.
This sounds a bit like it could be a botnet attempting to contact you for command & control, especially with the waves. Either that or infection attempts from a botnet. If you know one of the clients well enough, it'd be nice to try to gather more info from one of the sources of the URL. Packet dumps to see if it's contacting other sites, plus just a check to see what process is doing the contacting.