Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Attack or Bad Link? Your Guess? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Attack or Bad Link? Your Guess?

Reviewing my logs, I found this odd request:

GET /infocon.htmlppQ/detail/20130403164740572kode-til-boozt-10/basura-que-va-acumulando/_medium=twittersideIM&lang=en&brand=nokiaokseen-fortumin-joensuun-voimalaitokselle/)&utm_term=inspirationfeedistan%20Tehreek-e-Insaf)%e0%b9%89%e2%86%90_%c3%96k%e2%98%bc%e0%b9%84%e0%b8%a1%e0%b9%88%e0%b9%84%e0%b8%8a%e0%b9%88%e2%99%a5His%c3%b6%e2%86%94ll%e0%b8%95%e0%b9%88%e0%b8%81%e0%b9%89%c3%b6%e0%b8%a1%e0%b8%b1%e0%b9%88%e0%b8%a2%e0%b8%94%e0%b9%89%e0%b8%b2E%e2%86%90n%c3%96%e2%86%90m%c3%96neY%c2%ae%e2%97%84%e2%97%84--html26eu1=0&eu2=0&x=50&y=16&dataPartenzaDa=20121001&dataPartenzaA=20121010&orderBy=Prezzo HTTP/1.0" 302 154 "-" "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)" "2a03:2880:20:4ff7::"

It does look like a valid request from Facebook. "facebookexternalhit" is used by Facebook to screen links people post for malware. However, the link "doesn't make sense". Doesn't really look like an attack to me, just weird. Any ideas how this may happen?

------

Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

Johannes

3698 Posts
ISC Handler
Just an observation from the GET statement, "basura-que-va-acumulando" is Spanish and it means "garbage that is accumulating".
Anonymous
Some additional observations:

"brand=nokiaokseen" -- I believe it reads "Nokia Ok Seen" -- as in a Nokia device?

"orderBy=Prezzo" -- may refer to a UK-based pizza place: https://en-gb.facebook.com/loveprezzo

"%e0%b9%89%e2%86%90_%c3%96k%e2%98%bc%e0%b9%84%e0%b8%a1%e0%b9%88%e0%b9%84%e0%b8%8a%e0%b9%88%e2%99%a5His%c3%b6%e2%86%94ll%e0%b8%95%e0%b9%88%e0%b8%81%e0%b9%89%c3%b6%e0%b8%a1%e0%b8%b1%e0%b9%88%e0%b8%a2%e0%b8%94%e0%b9%89%e0%b8%b2E%e2%86%90n%c3%96%e2%86%90m%c3%96neY%c2%ae%e2%97%84%e2%97%84" -- equates to " ??_Ök????????Hisö?ll????ö???????E?nÖ?mÖneY®??" (via urldecode)

EDIT: The character encoding on my last point doesn't really hold up here on the forums, but essentially it's a bunch of fancy font symbols which might actually form words (but I can't read them) where the "?" marks are displayed.
Alex Stanford

136 Posts
The part "fortumin-joensuun-voimalaitokselle" is in Finnish and could be a piece from a article/news which has something to do with a new powerplant which is being built to city of Joensuu for a company named "Fortum". The actual translation is "..to Fortum's powerplant in Joensuu..". Basically that is only a part of a sentence and doesn't mean much by itself.
Paul

13 Posts
indeed its strange...

2a03:2880::/32 belongs to Facebook.

Looks like advertisements on some Facebook account. Also, mention of Tehreek-e-Insaf is a pakistan political party.

looking at the GET request it is indeed suspicious but no flags that suggests attack or an anomaly.
makflwana

17 Posts

Sign Up for Free or Log In to start participating in the conversation!