我们一直在日志报告中看到很多奇怪的编码字符,这些字符主要来自俄罗斯。难道这只是一种以恶意为目的向我们的网站发送垃圾邮件的僵尸程序或爬虫程序吗?
我尝试过使用google,但是并没有太大帮助。有没有人遇到过类似的事情?
"SearchWithinKWs": [
"2525252525252525252525d02525252525252525252525962525252525252525252525d02525252525252525252525b82525252525252525252525d02525252525252525252525b42525252525252525252525d02525252525252525252525ba2525252525252525252525d02525252525252525252525be2525252525252525252525d02525252525252525252525b5252525252525252525252b2525252525252525252525d02525252525252525252525bc2525252525252525252525d125252525252525252525258b2525252525252525252525d02525252525252525252525bb2525252525252525252525d02525252525252525252525be"
]
答案 0 :(得分:2)
25是%的ascii值,所以我最初的猜测是这些机器人是自动机器人,它们基于发送大量%%%%%%%%<char>请求to attempt to expose encoding / escaping errors来触发错误-要么在前端或后端。
但是重复使用%25也可能意味着已记录的字符串只是通过许多服务进行传递,这些服务都各自进行转义,然后被丢弃到行的某个位置。
由于(几乎)每个字符都包含相同数量的转义符:
2525252525252525252525d0
252525252525252525252596
2525252525252525252525d0
2525252525252525252525b8
2525252525252525252525d0
2525252525252525252525b4
2525252525252525252525d0
2525252525252525252525ba
2525252525252525252525d0
2525252525252525252525be
2525252525252525252525d0
2525252525252525252525b5
252525252525252525252b
2525252525252525252525d0
2525252525252525252525bc
2525252525252525252525d1
25252525252525252525258b
2525252525252525252525d0
2525252525252525252525bb
2525252525252525252525d0
2525252525252525252525be
2525252525252525252525bb
2525252525252525252525d0
引人注目的单个值为0x2b,代表'+'-进而用于转义空格。
如果我们忽略所有的25值(可能是%的多层编码并丢失了),则最终得到的内容似乎类似于UTF-8字符(重复d0是一个很好的选择)提示)。我们可以将字节解码为python中的UTF-8,看看是否有任何有用的东西:
>>> b"\xd0\x96\xd0\xb8\xd0\xb4\xd0\xba\xd0\xbe\xd0\xb5 \xd0\xbc\xd1\x8b\xd0\xbb\xd0\xbe\xd0\xbb".decode("utf-8")
'Жидкое мылол'
由于我对俄语一无所知,所以我used Google Translate至少暗示了它的可能。 Google翻译告诉我,这是对Liquid Soap的查询。洗涤剂?
这是否是恶意的将取决于上下文以及所有这些%编码在哪里分解。