Last Updated: 2012-08-13 18:17:10 UTC
by Rick Wanner (Version: 2)
Craig contacted the Storm Center inquiring about an interesting scan he has seen on his server for the last several days. The scan is at the same time everyday and only runs for a brief time, but it comes from random IPs and at a volume which almost cripples his web server for the duration of the scan.
Below are some sample logs:
126.96.36.199 - - [13/Aug/2012:06:12:53 -0500] "GET /usmle-step-2-ck%26sa%3DU%26ei%3DweAoUKXcGO7ciQLpqoHACQ%
188.8.131.52 - - [13/Aug/2012:06:12:53 -0500] "GET /usmle-step-1/step1%26sa%3DU%26ei%3DweAoUKXcGO7ciQLpqoHACQ%
184.108.40.206 - - [13/Aug/2012:06:12:55 -0500] "GET /comlex-level-1%26sa%3DU%26ei%
220.127.116.11 - - [13/Aug/2012:06:12:53 -0500] "GET /pharmacology/%26sa%3DU%26ei%
18.104.22.168 - - [13/Aug/2012:06:12:53 -0500] "GET /usmle-step-2-ck/coupons/2g35%
They all appear to be a potentially valid URL followed by an encoded string and all the requests appear to be looking for content related to US medical certification exams.
I haven't been able to find any further information on this scan. If any of you has seen this, or can provide any insight we would appreciate a heads up, either through our comments section or our contact page. I will summarize any information that comes in.
Update: Craig's site is a USMLE testing prep company. The URLs are valid for his site, it is the encoded bit after the URL that is of interest.
-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)