[Dshield] Odd GET request: clickthru abuse or something else?

TRushing at hollandco.com TRushing at hollandco.com
Wed Feb 7 22:13:14 GMT 2007


I noticed an odd GET request on a webserver I manage where the normal link 
would end in .html without any parameters and there is no way to get there 
via a POST or a GET request.  The request is below, with some obfuscation 
on the URL requested and IG variable, which was a more random looking 
hexadecimal string of the same length:

209.167.50.27 www - - [07/Feb/2007:14:23:48 -0600] "GET 
/obfuscated/path/non_index.html?DI=293&IG=deadbeef1234567890abcdefdeadbeef&POS=4&CM=WPU&CE=4&CS=AWP&SR=4 
HTTP/1.1" 200 65972 "www.brandimensions.com" "BDFetch"

BranDimensions would seem to be a service that watches online news and 
blogs to guage "buzz" for their clients.  (The website in question would 
not qualify as a blog or a news site)  In looking back at old logs, I see 
an identical hit from the same IP in Mid-December where the only 
difference is the content of the IG variable.

I'm wondering exactly what the point of the HTTP parameter string is? 
Doing a Google search on ( "CS=AWP" "CM=WPU" ) shows a number of very 
similar URLs.  Some are in log files but none I examined show the BDFetch 
www.brandimensions.com references. 

Many show DI=293 and POS, CE and SR all equal to the same single digit 
number.  There are enough Google hits to pages that display the same 
whether the parameters are there are not that Google is clearly scraping 
these hits from somewhere, so somebody has either set up a page with 
clickable links in this form or Google is getting them from clickable 
online web logs.

http://www.google.com/search?q=%22CS%3DAWP%22+%22CM%3DWPU%22+&btnG=Search

My thought is that there is some JavaScript based ad display system that 
will use these values to steal any clickthru revenue, but that's a WAG, 
with emphasis on the W and A. 

Anyone have any clue what script/system this collection of html parameters 
might belong to and any idea why a marketing "buzz" bot would be using 
them when no collection of similar parameters has ever been used by the 
site in question?  Is there some exploit that could be triggered by 
selective use of these parameters?

Tim Rushing


More information about the list mailing list