MSIE9 requesting */scanImageUrl and */[object]

Forum Moderators: phranque

Message Too Old, No Replies

MSIE9 requesting /scanImageUrl and /[object]

Seeing internet explorer 9 request strange invalid urls on my websites

tomashastings

7:29 am on Apr 2, 2013 (gmt 0)

Over the last couple of weeks I've been seeing requests to /[object] and /scanImageUrl in my websites root and subdirectories.

I suspect the requests to /[object] and /subdir/[object] are because of a javascript, because with those requests the HTTP_ACCEPT header is set to: application/javascript, */*;q=0.8

The requests to /scanImageUrl have HTTP_ACCEPT set to: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5

I can't for the life of me figure out why browsers are sending these requests, I've been using the same website + javascripts for almost a year now and requests like these started popping up a couple of weeks ago.

Is anyone else seeing stuff like this?

Edit: I forgot to mention that _all_ of the requests containing [object] are from MSIE9, the requests containing scanImageUrl are from different browsers.

phranque

11:36 am on Apr 2, 2013 (gmt 0)

welcome to WebmasterWorld, tomashastings!

have you checked the IP addresses from which these requests are originating to see if they might be known spambots or vulnerability probes.

tomashastings

11:46 am on Apr 2, 2013 (gmt 0)

Yes I checked, the requests seem to be coming from legitimate users. At least 5 of them are IP addresses of users that have ordered from my webshop in the past.

mydogbart

1:45 pm on Apr 2, 2013 (gmt 0)

I'm seeing this on an eComm asp.net site. My guess is a browser plugin gone haywire.

"scanImageUrl" is a JS variable used in the McAfee/HackerSafe logo/trustmark display, but we don't use that. One of the many broeser security plugins?

ttomsen

6:12 pm on Apr 2, 2013 (gmt 0)

we too have been observing this issue.

It's all from IE9 and only in compatibility mode, denoted by the Trident attribute of the user agent string.

rhum1

11:41 am on Apr 4, 2013 (gmt 0)

Hello,

Me too i can see this 404 error on my logs since 5 or 6 days. My website is not in asp but in php

gfergo

6:03 pm on Apr 8, 2013 (gmt 0)

We are also receiving requests for /scanImageUrl.

They seem to be coming from IE 8 and IE 9 (both with Trident in the User Agent string).

Has anyone determined the underlying cause yet?

ttomsen

2:09 pm on May 20, 2013 (gmt 0)

I posted a question on stackexchange: [snip]

and someone responded and it points to a 3rd party addon(spyware)

here's a summary:

One of my coworkers started exhibit the symptoms (random requests for http://www.example.com/scanImageUrl from IE8), so I hopped on her computer to figure out what was causing the issue.

The problem appears to be due to a malware IE add-on called Yontoo v2.051. I doubt anyone intentionally installs the software, but, among other installers, it is bundled with "EZ Fonts" ([snip]). Disabling both parts of the add-on from IE stops the issue.

[edited by: phranque at 10:08 am (utc) on May 21, 2013]
[edit reason] links to malware, etc [/edit]

phranque

10:23 am on May 21, 2013 (gmt 0)

welcome to WebmasterWorld, ttomsen!

thanks for your help with an explanation of the issue.

phranque

10:23 am on May 21, 2013 (gmt 0)

warm welcomes all around to mydogbart, rhum1, and gfergo!