while debugging my website, I regularly come across multiple invalid GET requests, it's always Samsung mobile devices. I haven't got a clue how to track down this problem ... See the logs below with the comments. It seems the device gets stuck in some loop and gets a 302 redirect answer every time. Note: GET /history.php/index.php is "made up" by the user's device, it's not a clickable link or an error in my PHP code. Also, if I request /history.php/index.php in my browser, as expected I just land in history.php as the rest of the URI is ignored, nothing else happens.
As said before, in 100% of the cases it's Samsung Android devices, that sort of confirms that the problem is not in my website's code as it would affect all devices.
UPDATE: Further research indicates it's only happening with "SamsungBrowser10.1" user agents. Also logs indicate they are actual human users, not attackers. Always the same pattern: users are redirected away from "history.php" because they are not logged in with a simple PHP: header("Location: index.php"); For some reason at this point the UA string changes to "Dalvik/2.1.0 ..." (see below) and it seems the browser takes the old URL, appends a forward slash and then the new location, so this happens (in simplified form):
GET www.example.com/history.php (UA: Mozilla 5.0 ...)
=> PHP header("Location: index.php"); exit;
GET www.example.com/index.php (UA: Mozilla 5.0 ...) What we want !
GET www.example.com/history.php/index.php (UA: "Dalvik/2.1.0 ...) WTF
GET www.example.com/history.php/index.php (UA: "Dalvik/2.1.0 ...)
GET www.example.com/history.php/index.php (UA: "Dalvik/2.1.0 ...)
...
[END UPDATE]
Example log:
User requests history.php...OK
04:19:53 +0000] "GET /pilotzone/history.php HTTP/1.1" 200 6280 "[edited]" "Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G975F) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/10.1 Chrome/71.0.3578.99 Mobile Safari/537.36"
User requests index.php...OK
04:19:55 +0000] "GET /pilotzone/index.php HTTP/1.1" 200 6253 "[edited]" "Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G975F) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/10.1 Chrome/71.0.3578.99 Mobile Safari/537.36"
In the same second, user goes back to history.php !?!
04:19:55 +0000] "GET /pilotzone/history.php HTTP/1.1" 200 9542 "-" "Mozilla/5.0 (Linux; Android 9; SAMSUNG SM-G975F) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/10.1 Chrome/71.0.3578.99 Mobile Safari/537.36"
Fantasy requests, not generated by my PHP code, all get a 302 redirect ... note the user agent has suddenly changed!
04:19:55 +0000] "GET /pilotzone/history.php/favicon.ico HTTP/1.1" 302 590 "-" "Dalvik/2.1.0 (Linux; U; Android 9; SM-G975F Build/PPR1.180610.011)"
04:19:55 +0000] "GET /pilotzone/history.php/index.php HTTP/1.1" 302 590 "-" "Dalvik/2.1.0 (Linux; U; Android 9; SM-G975F Build/PPR1.180610.011)"
04:19:55 +0000] "GET /pilotzone/history.php/index.php HTTP/1.1" 302 590 "-" "Dalvik/2.1.0 (Linux; U; Android 9; SM-G975F Build/PPR1.180610.011)"
04:19:55 +0000] "GET /pilotzone/history.php/index.php HTTP/1.1" 302 590 "-" "Dalvik/2.1.0 (Linux; U; Android 9; SM-G975F Build/PPR1.180610.011)"
04:19:55 +0000] "GET /pilotzone/history.php/index.php HTTP/1.1" 302 590 "-" "Dalvik/2.1.0 (Linux; U; Android 9; SM-G975F Build/PPR1.180610.011)"
04:19:55 +0000] "GET /pilotzone/history.php/index.php HTTP/1.1" 302 590 "-" "Dalvik/2.1.0 (Linux; U; Android 9; SM-G975F Build/PPR1.180610.011)"
[...]
This GET request is made 20 times before Apache closes the connection I guess. (IP address deleted for privacy reasons)