homepage Welcome to WebmasterWorld Guest from 54.197.171.109
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
okhy11
007, okhy eleven...
lucy24




msg:4473430
 4:14 am on Jul 7, 2012 (gmt 0)

It was going to be "The hylls are alive" but it turns out my logs' fixed-pitch font led me astray.

Does anyone have the remotest idea who or what okhy11 (in full, okhy11.04050) is?

Bing has dead silence. Google has pages that should never have been indexed (logs, "What's my IP?", UA identifiers). Yandex offers up
Optimization of a key clean-up procedures OKHY 11.06110-Free Soft Download

which would be a promising lead if it weren't followed in the next line by
Visiting this site may harm your computer or mobile device

There are limits to Need To Know.


I had a visitor from Hong Kong, with IP variously

65.49.2.{two different ddd numbers}
and
65.49.68.{seven more ddd numbers}

Did a pretty good impersonation of a human until I noticed that the first page didn't lead to a request for images until fully five minutes later, which would be a bit extreme even for dialup. Other oddities of timing on other pages.

The eagle-eyed reader will notice that 65.49 is not actually a Hong Kong range; it seems to be some innocuous place in Fremont (65.49.0.0/17). But they came in via google.com.hk with a perfectly plausible search.

Primary UA:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; okhy11.04050; .NET CLR 2.0.50727; okhy11.04050; 360SE)

For variety's sake:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; okhy11.04050; .NET CLR 2.0.50727; okhy11.04050)

also one okhy-less
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)

and a
360se [<i>and that's all</i>]
which was allowed to pick up one copy of the favicon

I don't know if the okhys always travel in pairs or if it's just this maybe-robot.

:: off to study logs and see if google.com.hk is a candidate for referer block ::

 

incrediBILL




msg:4473437
 5:16 am on Jul 7, 2012 (gmt 0)

Visiting this site may harm your computer or mobile device


That's why savvy bot busters use tools like CURL or WGET to access questionable content so you can download it without fear of a browser executing anything and then it can be examined in a plain vanilla HTML editor or notepad.

keyplyr




msg:4473459
 9:06 am on Jul 7, 2012 (gmt 0)


The site says:
OKHY [software] a key to optimize the clean-up procedures 11.06110

and then lists software download, license, etc links.

lucy24




msg:4473466
 12:11 pm on Jul 7, 2012 (gmt 0)

But maybe it's a red herring and they're talking about some other software entirely? Odd that google is so completely silent.

Maybe it's "I'll drop this weird name into my fake UA and everyone will be so distracted trying to identify it that they won't notice while I run wild among the e-books" which are public domain and can be downloaded from probably hundreds of places, see elsewhere about average robotic intelligence.

dstiles




msg:4473529
 9:16 pm on Jul 7, 2012 (gmt 0)

Both IP ranges are hurricane electric. Say no more beyond "Goodbye IP Range".

Why do you say it's from hong kong? Is there info you're not telling us? :)

lucy24




msg:4473566
 11:05 pm on Jul 7, 2012 (gmt 0)

No, there's info you overlooked ;) It's because they came in via google.com.hk. I checked; my page comes in around where their referer says it did. Odd thing to do, since you'd think google Hong Kong would be more likely to be blocked as referer than plain google.com would. I was actually thinking about it, but some of them turn out to be legitimate requests from legitimate Canadian IP ranges that you can't block. Well, maybe you can, but I won't.

Say no more beyond "Goodbye IP Range".

Well, that's good to know. I couldn't tell if it was nothing but servers, or one of those ### mixed ranges. For me they come through as all one big 65.49.0.0/17.

:: now off to block some huge slabs of China (up to /14) that I'd unaccountably overlooked ::

MxAngel




msg:4473614
 7:38 am on Jul 8, 2012 (gmt 0)

It seems to be a one-click optimization cleanup tool from okhy(dot)com for Windows 98 / 2000 / XP

Able of cleaning up malicious icons on your desktop, repair the Recycle Bin, my computer, my documents, my network ... icons. Repair and EXE LNK shortcuts, folders, and drives, lock the IE home page. Software can automatically upgrade online.

Info taken from www(dot)softwaredescription(dot)com/software/10493.html

Tried it out in a VM ...

I would certainly not recommend using that soft, it blindly changes permissions on registry keys and folders, tries to install a driver and update (repair?) others ... the list of changes is huge.

Once installed you get that okhy11 added to the user agent:

Useragent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; okhy11.08050; okhy11.08050)

lucy24




msg:4473627
 10:42 am on Jul 8, 2012 (gmt 0)

Ah ha. D'you suppose that some of those blindly changed permissions make it easier for a normal person's computer to be hijacked by a passing botnet? Surely not what they wanted it to do, but... :)

MxAngel




msg:4473645
 12:45 pm on Jul 8, 2012 (gmt 0)

Well if you have problems with icons missing and permissions on folders then it's a solution, although I'd rather not see every single folder (especially system folders) permissions set to "Everyone". It also installs a service and tries to reinstall others in case they are missing I guess. Creates a scheduled task to update itself too.

One of its first tasks is to kill your antivirus (kill the running process) ... "in case it interferes with repairs" ... that seems to be the reason given by its author.

It installs a lot of mini applications, to view your BHO's for example, list of installed programs ... It has also a main interface with many tabs, I can't understand what's written, itís all in Chinese. It does reset your Internet Explorer page to Baidu also. It is for Chinese PC's only, nothing is in English.

Resets the Policies key, Image execution options Ö couple of file associations. Might be a quick solution for people who are not very PC savvy I guess. At least two batch commands yield an error, might be language related, itís hard to tell without going through the .bat and .vbs files.

To be honest, Iíd rather see a program tackle specific problems instead of the full option / full repair all in one go and reset everything to default or worse. :)

Btw, that 360SE seems to be AV related because the program tries to terminate the tray icon and main process of it.

lucy24




msg:4473689
 8:43 pm on Jul 8, 2012 (gmt 0)

It has also a main interface with many tabs, I can't understand what's written, itís all in Chinese. It does reset your Internet Explorer page to Baidu also. It is for Chinese PC's only, nothing is in English.

Well, I'll be jiggered. So there really is a China connection. Maybe someone from Hong Kong who brought their laptop with them to the US?

It would never have occurred to me that "360se" could be anything other than a minimalist favicon-getter-- like google's faviconbot, which normally wears no clothes at all. Can you tell that I do html by hand? By the time I noticed the <i> brackets it was too late to change them.

MxAngel




msg:4473730
 3:16 am on Jul 9, 2012 (gmt 0)

Looks like lots of hosting and websites, maybe a proxy in the lot or surfing through the server?
[bgp.he.net...]

I don't use the forum buttons either to format text ;)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved