I see rando URL attempts all the time. So much so that for the frequent ones, I disconnect them in the webhandler proc in both the validatefilename and parserequestheader embeds. Might only be needed in one of them, but whichever is second is probably not being called given the abandon ship (ie: ReturnValue = Net:NotOK).
At the moment, this duct tape and bailing wire solution looks like this:
! we dont use PHP, CGI or cgi-bin, so this tosses out the low hanging fruit of slimeballs that try to hack us.
csLowerClippedFileName = LOWER(CLIP(SELF.WholeURL))
IF INSTRING('.php' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'php'
ELSIF INSTRING('.cgi' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'cgi'
ELSIF INSTRING('cgi-bin' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'cgi-bin'
ELSIF INSTRING('die(@md5' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'die(@md5'
ELSIF INSTRING('=die' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = '=die'
ELSIF INSTRING('webdav' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'webdav'
ELSIF INSTRING('.asp' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = '.asp'
ELSIF INSTRING('.git' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = '.git'
ELSIF INSTRING('phpstorm' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'phpstorm'
ELSIF INSTRING('phpunit' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'phpunit'
ELSIF INSTRING(';chmod' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'chmod'
ELSIF INSTRING(';wget' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'wget'
ELSIF INSTRING('/admin' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = '/admin'
ELSIF INSTRING('/auth' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = '/auth'
ELSIF INSTRING('/owa' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = '/owa'
ELSIF INSTRING('/jsonws' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = '/jsonws'
ELSIF INSTRING('/config' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = '/config'
ELSIF INSTRING('admin/' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'admin/'
ELSIF INSTRING('wp-content' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'wp-content'
ELSIF INSTRING('wp-includes' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'wp-includes'
ELSIF INSTRING('.env' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = '.env'
ELSIF INSTRING('well-known' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'well-known'
ELSIF INSTRING('robots.txt' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'robots.txt'
ELSIF INSTRING('mstshash' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'mstshash'
ELSIF INSTRING('androxgh0st' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'androxgh0st'
ELSIF INSTRING('currentsetting.htm' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'currentsetting.htm'
ELSIF INSTRING('server: akamaighost' , csLowerClippedFileName,1,1) > 0 THEN csFailReason = 'Server: AkamaiGHost'
ELSE csFailReason = ''
END
IF csFailReason > ' '
p_web.AddLog('ParseRequestHeader: Punted ' & csFailReason & ' hack attempt via ' & CLIP(SELF.WholeURL))
p_web.Trace ('ParseRequestHeader: Punted ' & csFailReason & ' hack attempt via ' & CLIP(SELF.WholeURL))
ReturnValue = Net:NotOK
END