Question: vulnerability or not?

[XCanG]

I check my logs today and see that one preson trying multiple times searching some strange requests, in log I don't see what he try to search, but that is very strange, that new line in log deleted... If I, for example, try to search something I see it as normal line. I remind that some old build of HFS have vulerability and some scripts may send on page, may be user try to cause it? Or not? If not why this thing happen with newline character?

Log:

[bmartino1]

that look s like a javasciprt google bot.

i would doming lookup the ip to make sure.

I'm not aware of this bug, and is the first i'm hearing of it

[XCanG]

IP started from 66 is a google bot, what IP you mean? 121 or 66?

I never see before that this IP connect to my server and I can't see at headers right now, so I don't know who is that

[XCanG]

Also I may say, that i restrict to bot using sorting, search, get list or e.t.c. (because it same information and take additional load to the server).

[bmartino1]

IP started from 66 is a google bot, what IP you mean? 121 or 66?

I never see before that this IP connect to my server and I can't see at headers right now, so I don't know who is that

orginaly i was talking about the 66.x.x.x address, i had to go through google support, it turnd out to be a rouge bot on there end... google bulshit...

https://support.google.com/webmasters/answer/182072?hl=en
https://support.google.com/websearch/answer/106318?hl=en


(i remember back in 2010, of banning a large section from 66.x.x.x in hfs and iptabled them to drop in a ddwrt router.)
after about a month of them unable to gain access, it stooped coming around.

--* yes, it a range ip, blocking the one ip wil only send the next address down one ip up or one ip down.
The bots job is to collect all data on the site it finds. google is suppose to be using that via dns names, but they have a few searching IP, thus it is a rouge bot on there end.

as for the 121. form what i saw in the log, i thought that was a normal some one visited.
if it is a hacker, its probably searching machine code to get in, or the fixed/patch alt number key 255 ( blank character that is not a space but is displayed as a space.) find alot of search scripts broken  because they don't have a filter...

just because you have a file for the bot/spider to read, doesn't mean the spider, bot is using them...
there are hacker out there that run code to search for site on there ISP and you ip might have come up in there search.
*one of the way to do the search is a bot scan, if the bot finds a http site, or a ISP that is sending something open, the bot then runs code in java script etc.. etc.. usually in HFS, it is seen as a random ip visiting the webpage.

Alot of factors, unanswered questions. I could dig deeper, but you scratching out the ip for me to dig down in the Internets records to get where its realy coming form.

My understanding of this post, was that there might have been a bug, or vulnerability. I'm not see it, if there is one, rejeto, mars, or other experienced user might have jumped in by now.

all i can do, is recommend you start banning there ip, or doing more network based security to block them.

[XCanG]

Oh no, damn, why? I not mean google bot, I know about it. Just ignore it. I mean about that character in search, that i don't see, this is more looks like as a hacer, so why I ask. Bot is just bot, but when people come to my server I may see what they searching, but this 121 IP is strange and ever search request I see that, looks like he try to hack server, but can't and try again. You see, that this 121 IP not go to any url on a page (not navigate), just search in root, so why I say this strange.

And more strange that i may say it that is not regilar web browser. Every user when open my server, include me, my friengs, guys from internet connection like that:

Lines 2, 3, 4, 5, 6 is impotant! At least if user use something like NoScript, they will not download JS file, but still download favicon.
And that with every user mobile or desktop, don't matter. Exceptons if: 1) user already download it and have in cache, 2) bot and bot not setup for downloading external things like that, 3) hacker, that may be just get page html, then generate get request with search parameter and send it to server.

So why I ask. Again Ignore bot, just think what may wrong with this user.

[bmartino1]

could be using Chromebase web site coding stuff, it looks there at you search results that it only downloaded the header, i know of nmap, and other browser such as tor that do this.

It could have easily been that, i'm not 100% sure which chaster your referring to, but as i said, i would recommend banning the ip.

they could be getting an error code aswell(that might not be defiend in HFS):
https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error

as for the machine code in the search, it could be seen as url encoded:
http://www.rejetto.com/forum/programmers-corner/possible-unicode-workaround-to-hfs-2-xx/msg1059085/#msg1059085

hoping a more experience user would jump in, i'm at a loss right now.

[XCanG]

Sorry, but I don't understand what you mean.

Who getting this errors? Where you get it or how to come to this conclusion? (I know about this errors, but don't get point it mention here)

About url... You think here is requested control characters? Such as NUL/BS/else?
...

[bmartino1]

Sorry, but I don't understand what you mean.

Who getting this errors? Where you get it or how to come to this conclusion? (I know about this errors, but don't get point it mention here)

About url... You think here is requested control characters? Such as NUL/BS/else?
...

hfs is not a perfect http server, it could easly be a 420 erro, or other, that is not documentd by the prgoma, but tha a clent erros, and unless the clinet is replying, i don't think its revelant here.

in regrads to the search, yes, i belive some one was trying ot hack you site via a seach qurey with a machine control chater.

[LeoNeeson]

@XCanG: I suggest to wait for an answer from rejetto.