What is HTTP COOK request method in my logs?

security http apache-2.2

I'm seeing entries in my Apache logs like the following

178.216.185.210 - - [24/Feb/2014:11:46:40 -0500] "COOK /freesearch.php?portal=0a9&... HTTP/1.0" 303 589 "-" "Mozilla/4.0 (compatible; Synapse)"

with COOK in place of the usual GET or POST.

I've tried a variety of search terms and can't find any info on what this might be. I've also Googled the user-agent string and discovered that it is likely a script built with Ararat Synapse. And judging by the other requests made with that user-agent string, this is someone who is up to no good.

So is this just some made up request method?

How does Apache handle unknown request methods? The response status code for all COOK requests is logged as 303. So is Apache saying See Other and just providing the same URI? I don't see another hit from same IP, so I am assuming response is simply logged or ignored. They probably come back later from another IP.

So my script is never run, correct?


Solution 1:

It's not a method defined in any HTTP standards, that's for sure. Probably some 'custom' methods implemented by proprietary webservers.

Since it's an unknown method, Apache shouldn't execute anything. According to Wikipedia's article on HTTP 303, and I quote:

This response indicates that the correct response can be found under a different URI and should be retrieved using a GET method.

so basically Apache is telling the client to retry the request using the GET method.

Solution 2:

The COOK verb appears to be synonymous with the User-Agent string containing "Synapse". The term Synapse is a free TCP/IP library written in Pascal (see here: http://wiki.freepascal.org/Synapse#From_an_HTTP_server) that is used to create bots, scrapers and crawlers as well as other legitimate software.

Solution 3:

This method of attack is most likely usually tied to a user agent as mentioned previously, such as with SYNAPSE, and because this tool is commonly used for malicious probing and hacking, is most probably used in this method as a way to probe if you are blocking or have some sort of firewall or application in place that will block based on unknown HTTP Methods. Depending on the response you may be able to gain insight into the tools used.

Knowing that you have a firewall or some sort of other tool in place to deny these requests, they then craft the attack to avoid that common default blocking behaviors used by that type of firewall/tool.

Related

Inherit existing server
Clever nagios alert methods
Should I have multiple domain administrator accounts?
C:\ is for OS, D:\ is for Data?
Send message to IRC channel from bash
Installing/enabling PHP Pecl Intl extension on CentOs 5
Nagios graphing solutions vs Munin/Cacti/Ganglia
MongoDb shuts down with Code 100 [closed]
Laravel: Get Object From Collection By Attribute
Permission denied @ apply2files - /usr/local/lib/node_modules/expo-cli/node_modules/extglob/lib/.DS_Store?
Thymeleaf: how to use conditionals to dynamically add/remove a CSS class
Should i use belongsTo or hasOne in Laravel?