What is Verify Compliance Page


verify-Compliance_Page | notified-Compliance_Page

I noticed a few 404 page not found errors in activity logs for several sites today using these strings; verify-Compliance_Page?aHR0cDovL3d3dy5ncmFwaGljbGluZS5jby56YS8= and notified-Compliance_Page with the same rubbish string on the end.  When I find odd GET requests I invariably try to find out more information about what the ‘visitor’ is trying to do. Are they trying to hack, access forbidden areas, upload malware or post spam…

As far as verify-Compliance_Page and notified-Compliance_Page are concerned, the amount of substantiated information is notable only in it’s scarcity. So for any webmaster who is also looking for this information about these odd GET requests, this is what I was able to establish.

ProxySG Software related?

The most likely reason this string is being added to GET requests is an attempt to discover if the website is using a security product called ProxySG  from Blue Coat (possibly by a bot or spider), and if so to exploit a possible vulnerabilty. No information was available about the vulnerability.

referer Spam or not?

Another suggestion was this could be a case of referer spam. I guess this is possible; it could also be a case of referer spoofing. The referer in this case was a page on this blog, linking to my e-store catalogue. Interestingly, the verify-Compliance_Page string was found attached to the primary homepage www.graphicline.co.za/ as well as to the e-store homepage and catalogue page.

As I didn’t add this string to the link, what is anyone linking to the pages doing adding this to the link – nothing honourable and good that is certain!

And just to add substance to the notion this was a visitor with ill intent, the IP address had an entry in Project Honeypot as in use by a mail server or spammer…

Webmasters, Have You Seen this GET request

If you’ve seen “verify-Compliance_Page” or “notified-Compliance_Page” in your server logs, share your discoveries here…

Advertisements

About Mike

Web Developer and Techno-geek Saltwater fishing nut Blogger

Posted on May 17, 2012, in Internet Security and tagged , , , , . Bookmark the permalink. 2 Comments.

  1. I am currently developing a spamtrap and i came across a few examples of these. If you base64 decode the examples you will find that its either a url on your own site or something similar to what i have which is:

    aHR0cDovL3d3dy5ybWptLmNvbS8/dXRtX2NhbXBhaWduPWFwcGxlZ2F0ZS5jby51ayZ1dG1fbWVkaXVtPXJlZmVycmFsJnV0bV9zb3VyY2U9YXBwbGVnYXRlLmNvLnVr
    which becomes:

    ?utm_campaign=applegate.co.uk&utm_medium=referral&utm_source=applegate.co.uk

    As for the url there accessing, could it possibly be an script from some vulnerable software that uses get queries to post in data(comments, admin section, etc)? Automated software have certainly been doing a number on me recently and i am seeing more and more automated vuln scans.

    • You’re right, it’s a scan for a vulnerability. I get this about twice a month on average.

      These exploit bots are a darn nuisance. Every few days at least one of my sites gets hammered with multiple simultaneous ‘attacks’ often from 3 to 6 different IPs at once. Had one this morning tried over 600 times in a few minutes, then cam back again about an hour later.

      They don’t do any damage – but are an effective denial of service as the server resources get maxed out..

      Good luck with the spam trap – I like that idea!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: