I keep seeing weird behaviour in our logs, where URLs that should normally only be accessed via a POST request are called via GET. The URLs include ones that are only ever constructed via javascript, so you wouldn’t expect a regular spider to come across them. If I search our logs for an IP that those requests are coming from, it seems like that user has only ever sent us GET requests.
It doesn’t seem like typical bot behaviour – the requests are spread out, rather than spamming our server with a bunch of requests in a short timeframe. The user agents are all regular browsers. However – and this is slightly speculative – it doesn’t really look like it’s a human browsing the site, since they seem to jump all over the place rather than following one link to the next.
Does anyone else see this sort of behaviour on their site? Any suggestions what causes it?
It may be somebody fishing for exploits in your site. They would analyse your forms then craft their own URLs looking for weaknesses or unconventional ways to use the service. If it’s usually the same IP address then you could probably assume that’s the case.
One example might be you are a streaming media provider and somebody is trying to piece together the source URLs for a video downloader script. Often though it’s simply spammers looking to relay through your contact forms.
Don’t assume too much from IP addresses and and user agents. The former can be proxied (through networks like Tor) and the later can be changed at will. Just because the IPs and user-agents change doesn’t mean it isn’t the same user generating the requests.