| This 35 message thread spans 2 pages: < < 35 ( 1  ) || |
Mozilla/4.0 (compatible; Synapse)
This user-agent was mentioned here in posting [webmasterworld.com...] in 2009 but no one replied.
UA: Mozilla/4.0 (compatible; Synapse)
I've been seeing (and blocking) a lot of hits this past month or so. It seems to be taking off in a big way but I'm unsure whether as a "curiosity" tool or a hacking/scraping tool.
Searching ixquick for the UA (in quotes) turns up several references including user-agents.org which says "Synapse - Apache web service for processing XML documents" and a link to a wiki "proposal" for the tool. This in turn leads to synapse.apache.org which says...
"Apache Synapse is a lightweight and high-performance Enterprise Service Bus (ESB). Powered by a fast and asynchronous mediation engine, Apache Synapse provides exceptional support for XML, Web Services and REST. In addition to XML and SOAP, Apache Synapse supports several other content interchange formats, such as plain text, binary, Hessian and JSON."
The "key features" list has some worrying items including "Support for industry driven Financial Information eXchange (FIX) protocol" which, given the tool is accessing MY (non-financial) web sites suggests ill-usage.
Most apache users are likely to be professionals (web site designers/hosters coming probably from server farms) but I'm seeing a lot of hits from broadband IPs (not always obviously compromised) on which I would not expect an apache server, especially a full internet-facing one with open ports.
One consecutive sequence of 10 hits today was to variations on an on-site search. It looked, from one of the parameters, as if the querystrings defining the search were those fed by the site to search engines rather than users; the site has since been modified (6 months ago) so the querystring is now different.
I've decided to continue blocking it. Anyone have any further insights?
I ran across one of the SynapseWorkstation UAs and it appeared to be a regular visitor, one page, requesting all files:
22.214.171.124 - - [20/Jun/2013:17:16:24 -0500] "GET / HTTP/1.1" 200 11902 "http://www.bing.com/search?q=BLUE+WIDGETS&src=IE-SearchBox&Form=IE8SRC" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; SynapseWorkstation.3.2.1; .NET4.0C; .NET4.0E)"
I had not noticed this in bing searches before, it may be common, just new to me: "src=IE-SearchBox&Form=IE8SRC"
> Mozilla/5.0 (compatible; news bot /2.1)
But that's neither Synapse nor SynapseWorkstation. Looks like a regular news bot - or a fake one. Nothing to do with the User-Agent we've been discussing, I think.
Yes, I think the workstation one is a real user with a real browser.
Not really much to add (especially being a newcomer here), other than corroborate the overall 'feeling' that "synapse" is some sort of botnet/attack.
For months now, we've seen sporadic direct entries to pages with query strings, including our Search pages, which are disallowed via robots.txt...although this doesn't identify itself as a bot and I have never seen it hit the robots.txt.
Like dstiles, what's concerned me and drew my attention to them in the first place was the use of the -1%27 parameter while researching a Searchbot Attack episode from a bunch of empty UA IP's.
Here's an example from earlier today, but we get dozens per day like this. I just recently added them to my Bad Bot ban list and they're sent to our 403 page now, but perhaps this will help others.
Note the q parameter from our search results page. They also use the -1%27 for the cx and cof parameters, which of course are associated with our Google tracking and would NEVER have a variable associated with them, so the -1%27 is very suspicious.
2013-08-06 00:21:31 W3SVC5 OUR-SITE xxx.xxx.xxx.xxx GET /search/results/default.asp cx=014533310200406954816jxmtrri0fhi&cof=forid10&ie=utf-8&q=-1%27&sa=search 80 - 126.96.36.199 HTTP/1.0 Mozilla/4.0+(compatible;+Synapse) - - www.eis-inc.com 403 0 0 9764 403 1156
Not sure if I noted this above, but I now block with 403 but do not register/block the IP itself. Blocking IPs was becoming annoying insofar as I had to check and (often) remove the IP block.
Same here...just too many IPs to contend with. Never having witnessed a 'good' synapse visitor, I just ban any UA with synapse in it. (Which has worked out great for the two days that's been in place...lol)
| This 35 message thread spans 2 pages: < < 35 ( 1  ) |