GETs in access logs with unexpected +% string characters

[aussie]

Firstly, thank you Steve for providing the security advice webpages and this forum for questions and answers.

I've noticed some weird happenings in my logs, some GET's appear to have +% appended to them which I don't expect.
I've included two examples below and do not know what they are or what they may be doing or attempting to do.

If malicious, any recommendation on a htaccess to do a RewriteCond, I would anticipate on anything with a "+%" in it ?

GET /index.php+++++++++++++++++++++++++++++Result:+%E8%F1%EF%EE%EB%FC%E7%EE%E2%E0%ED%FB+%E4%E0%ED%ED%FB%E5+x_fields.txt;%E7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%EB%E8%F1%FC+100%25+%28%E2%EA%EB%FE%F7%E5%ED+%F0%E5%E6%E8%EC+%F2%EE%EB%FC%EA%EE+%F0%E5%E3%E8%F1%F2%F0%E0%F6%E8%E8%29;

GET /display.php?did=14+%28200+ok%29+ACCEPTED HTTP/1.0

[SteveW]

Those are strange.

A web search on the first few hex numbers turned up a surprising 56 results, all of them weird, seeming to have something to do with vcards or email spam.

I tried subtracting 128 (80 hex) from each of the hex numbers to bring them down into the ASCII range and then looking up their ASCII character equivalents. That gave a sequence of random characters "hqonk gnb", and a web search on the sequence got a surprising 337 results, all of them either nonsense or in some kind of code.

Even a web search on x_fields.txt got 2000+ results that seem to indicate forum spam, possibly targeted at phpBB.

I've never seen exploit code that led to so many weird websites (some of them obviously illegal; don't go to them), so much unintelligible text, and for which there is apparently no discussion about it on the web.

In any event, these lines should forbid any request where the requested page or its query string contains +% , where the + appears as either + or %2B in upper or lowercase. The first line is only if you don't already have it in your .htaccess:

RewriteEngine On

RewriteCond %{REQUEST_URI} (\+|%2B)% [NC,OR]
RewriteCond %{QUERY_STRING} (\+|%2B)% [NC]
RewriteRule .* - [F,L]

Before installing a new ban like this, it's a good idea to search your historical access logs for the strings you're about to ban. Ensure that the new rules won't ban legitimate requests.