We have noticed over the past few months an increase in the number of web access upon various URL addresses upon our site with a string starting ‘/RK=0/RS=’, followed by strings of other characters. To us they are obviously some attempt to get access to information but we were a little puzzled as to how they might possibly work. The URL’s they are attached to are varied but seem to be upon a lot of Blog addresses. The RS= looks like it could be a regular expression for a pattern match of sorts, since some(but not all) are sometimes followed by a caret ^ but that is speculative.
They look to be a form of SSI injection with the header, with the attempt to try and pass tokens into the URL for some purpose..
Apparently we are not alone and there is much discussion upon the web as to exactly what it is trying to achieve and who might be behind it, but no clear answer is currently known.
One way to remove them might be a simple .htaccess rule similar to the following:
RewriteRule ^(.*)RK=0/RS= /$1 [L,NC,R=301]
An alternative would be to block the IP addresses from which they are coming, but if they are not ‘hard addresses’ in the sense that they are not reusable, then the risk is that you may end up blocking legitimate traffic.