dstiles - 10:20 pm on Mar 13, 2013 (gmt 0)
I collected 46 sets of headers from synapse UA accesses during the past 24 hours (from 12/Mar/2013 23:50:04 to 13/Mar/2013 21:46:40 GMT).
There were a few instances of multiple IP accesses, from 1 to 8 (I may have miscounted in the list below)...
193.203.48.nn (4 hits) - UA - server - open ports
89.73.233.nnn (1 hit) - PL - dynamic - stealth
85.97.73.nn (1 hit) - TR - dynamic - no open ports
91.217.90.nnn (3 hits) - UA - server - open ports
114.48.35.nnn (1 hit) - JP - mobile access - no open ports
219.85.0.nn (1 hit) - TW - dynamic - no open ports
62.218.160.nnn (1 hit) - AT - dynamic - no open ports
83.26.141.nnn (1 hit) - PL - dynamic - no open ports
89.70.113.nnn (2 hits) - PL - dynamic - no open ports
85.176.24.nnn (1 hit) - DE - dynamic - stealth
96.20.61.nn (6 hits) - CA - dynamic - stealth
109.236.84.nnn (2 hits) - NL - server - open ports
85.122.54.nn (1 hit) - RO - dynamic - no open ports
84.0.39.nn (1 hit) - HU - dynamic - no open ports
119.242.193.nnn (1 hit) - JP - dynamic - stealth
94.112.29.nnn (1 hit) - CZ - dynamic - no open ports
89.69.81.nn (1 hit) - PL - dynamic - stealth
87.58.114.nnn (1 hit) - DK - dynamic - stealth
217.132.64.nnn (1 hit) - IL - dynamic - no open ports
95.77.126.nnn (8 hits) - RO - dynamic - no open ports
176.40.150.nn (1 hit) - TR - dynamic - no open ports
79.163.157.nnn (1 hit) - PL - dynamic - no open ports
77.78.39.nn (1 hit) - BG - dynamic - no open ports
83.85.150.nnn (1 hit) - NL - dynamic - no open ports
89.157.214.nnn (2 hits) - FR - dynamic - stealth
83.60.82.nnn (1 hit) - ES - dynamic - open ports
"No open ports" could simply mean the computer was turned off during my port-checking access attempt.
Stealth ports - nominally closed (probably behind a firewall) but one or two may be open or closed-but-visible for specific purposes (eg FTP).
Servers are expected to have open ports, dynamic lines should have no open ports (with possibly a few "static" exceptions used for "office" connection or if the machine has a virus).
Multiple hits were usually but not always consecutive.
With one exception (the last IP) the combination of IP type and port mode is expected. With no obvious open ports on broadband lines it seems as if synapse is part of a normal tool, albeit an odd one. However...
1. All accesses were to pages that included querystrings (eg www.example.com/page.asp?pid=product). I have so far not noticed any access by synapse to a simple page URL.
2. I do not know what would happen if the site contained only https URLs. I do not have that kind of site.
3. SERVER_PROTOCOL: HTTP/1.0 is always the case, so not a proper browser, which would be HTTP/1.1.
4. All logged accesses included the headers...
HTTP_ACCEPT_CHARSET: iso-8859-1, utf-8, utf-16, *;q=0.1
5. The ACCEPT inclusion of xml suggests an earlier supposition may be correct or, possibly, an inclusive gathering mode to grab anything. One new hypothesis is: this is an RSS feed agregator or scraper, based on the inclusion of xml; if so why only querystring pages accessed (point 1)?
6. Although the identity specifier is new to me it is valid (incicates "do not encode").
7. Only 15 accesses included HTTP_COOKIE (my server sets temporary cookies only). Of these cookies, some were repeated but on different IPs, which indicates a shared user agent environment (eg a botnet or an advertising tracer). A typical cookie seems to be:
HTTP_COOKIE: ASPSESSIONIDAAAQACQB=BGNCCFADJJGMCHDCMKKGEEJ; ASP.NET_SessionId=-1%27; NID=; SID=; CID=;
(remember this is an IIS/ASP server).
If anyone can throw light on this, please do!