Unusual GET Request
I am getting unusual get requests to my server: /op69okl?name=http://www.ntdtv.com/ or /op69okl?name=http://www.epochtimes.com/ or something similar with other sites in the param. Doing some searching for op69okl seems like a username of a porn account.
To clarify my interest in this question: I am software developer, but I started doing reverse engineering and learning more about malware recently. So I am still too noob to approach this systematically.
Requests comes from IP addresses in China, almost all IPs are different and rarely repeat. Since IP are so different it leads me to believe they are bots. I suppose they could be probing for a vulnerability and expecting a certain response. In my case my server (which is not running any common framework) is not returning 404 to this request, but rather reroutes to a default page. I wonder if that's why the bot keeps trying my IP?
I am curios how to investigate this further. I am currently learning how to catch malware, I am thinking as a first step to map out IP addresses of the incoming requests and get more insight where they come from and how often (it started 3 days ago; not very frequent). Then I want to setup a new server and see if I can "catch" the same request again. WordPress or another common framework would work OK for this, I think.
What else can I do to investigate this? I am taking this as a real life learning opportunity.
P.S. I am very curious why the bot is passing the ?name= like this. Would love to find out.
