Do you recognize /impl.v11 or /p2/v11 files?

Forum Moderators: phranque

Message Too Old, No Replies

Do you recognize /impl.v11 or /p2/v11 files?

csdude55

6:49 am on Nov 19, 2020 (gmt 0)

I'm seeing a ton of these 404s in my error log:

/impl.v11.3.5.js
/p2/v11-3-5

The numbers vary, but they all seem to follow the format of "/impl\.v[0-9.]+" and "/p2/v[0-9-]+"

I assumed they came from a bot trying to find a backdoor, but then I noticed that a lot of them come from local IPs. So now I'm thinking... maybe a Chrome extension that's trying to do something?

Any guess?

phranque

7:10 am on Nov 19, 2020 (gmt 0)

what does the access log show for those requests?
especially interesting would be the user agent string.

csdude55

8:42 am on Nov 19, 2020 (gmt 0)

I tried to look but the log is 1.1G, and my internet provider (mobile) blocked me for a few minutes when I tried to download it! I'll have to try again tomorrow :-(

lucy24

7:27 pm on Nov 19, 2020 (gmt 0)

:: quick look through logs ::

Huh. Obviously not the single most popular request from malign or incompetent agents, since I don't find it at all.

You didn't ask about how to handle the request. But if you don't want to put your server to the work of looking for these nonexistent files, you could return a manual 404 to the pattern /(p2|impl). Of course you could also 403 block them outright, but it's sometimes more useful and satisfying to return a 404 because then you've given the visitor no information other than �I have no idea what you�re talking about�, while the 403 says �Nice try, but I�m onto you�.

[edited by: phranque at 3:06 am (utc) on Nov 20, 2020]
[edit reason] typo [/edit]

csdude55

11:21 pm on Nov 19, 2020 (gmt 0)

You're right, I'm feeling out what these are before deciding how to deal with them. Right now they return a 404, but since I have a list of exploits to [F] in my Apache configuration then it would be easy to add them to that. But if they actually have value then... maybe not?

Over the years I've found these in my error log that actually had value (mostly related to Adsense), so I had to manually write exceptions for them:

/pagead
/adform
/admotion
/adrime
/adtech
/bonzai
/contobox
/doubleclick
/exponential
/eyeblaster
/eyewonder
/flashtalking
/flite
/ipinyou
/jivox
/knorex
/kpsule
/linkstorm
/liquidus
/mediaplex
/mixpo
/pointroll
/predicta
/revjet
/rockabox
/sociomantic
/spongecell
/unicast

JorgeV

11:50 am on Nov 21, 2020 (gmt 0)

Hello,

Some, several, lot of adsense ads are buggy, Which can produce requests without domain name, and so the browser is trying to access a file from your server instead. Wrong MIME type are frequent too.

csdude55

7:53 pm on Nov 21, 2020 (gmt 0)

That's the basis for most of those files I listed, and that's why I was wondering about /impl. and /p2... if they're related to Adsense then maybe I need to find a way to auto-fix them. But I can't find anything about it all on Google, other than a few references of them being broken on other sites, too.