Today, I noticed a strange connection attempt to my server requesting for a long file name – that starts as ‘/YesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurpose……………….’. Below is the snapshot from the Apache error log.
[Thu May 11 17:52:01 2017] [error] [client 22.214.171.124] (36)File name too long : access to /YesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURL butWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserA gentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForRes earchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeA reDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTH XYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoin gItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurpose PleaseHaveALookAtTheUserAgentTHXYesThisIsAReallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScanningForResearchPurposePleaseHaveALookAtTheUserAgentTHXYesThisIsAR eallyLongRequestURLbutWeAreDoingItOnPurposeWeAreScann failed.
Understood? Here’s the version with space between the words:
Yes This Is A Really Long Request URL but We Are Doing It On Purpose. We Are Scanning For Research Purpose. Please Have A Look At The UserAgent. THX
As hinted in the above message, I looked into the Apache access_log.
126.96.36.199 HTTP/1.1" 403 1202 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 Scanning for research (researchscan.comsys.rwth-aachen.de)"
The above snapshot shows that the traffic was sent from researchscan.comsys.rwth-aachen.de – the website talks about a research project at RWTH Aachen University located at Germany. The quick lookup of IP address 188.8.131.52 reveals that the machine is located within the university’s network.
The research website explains why such connection attempts are made and why are they collecting such data. However, it was hard to understand the objective of the project. So if you notice such connection attempts to your web server, then this particular connection attempt seems to be harmless and you can be less bothered about it.