Mozilla/3.01 (compatible;)

Forum Moderators: open

Message Too Old, No Replies

Mozilla/3.01 (compatible;)

Crawler or Browser

joshie76

4:29 pm on Apr 10, 2001 (gmt 0)

This user_agent has recently been plying our site with weird hits, including getting to places that would normally redirect browsers with a disabled session state and cookies turned off.

Does anybody know what this is? Some kind of spammer or something? We have had legitimate traffic from the same UA but a lot of it is definately questionable.

Any ideas?

msgraph

4:39 pm on Apr 10, 2001 (gmt 0)

Ahh yes. These guys hit our sites on a daily basis.

Make sure you have a good security system set up on your server(s). This is a common UA used by hackers who try to break into web servers. I don't handle server configs much but try to set up something where these users get flagged and an e-mail is sent to you with their activies. Then just ban their IP's as they continue to come in. There could be some older browsers out there that still use this UA so it wouldn't be wise to ban it outright.

theperlyking

8:37 pm on Apr 10, 2001 (gmt 0)

A slightly different angle, I get these quite often on one of my sites that uses javascript rollovers, basically someone will visit using IE 5.5(for example) and that IP address will then request the images referred to in the javascript code (and fail, it seems to be faulty in the way it works) but with a user agent of Mozilla/3.01 (compatible;) and with no cookies etc..

Basically I think this is one of the net accelerator types of application, where you surf normally and it's supposed to download links in the backround to speed up your surfing. For the occasions I see this its almost definately not hackers, though your situation may be different.

sjoerd

10:11 pm on Apr 19, 2001 (gmt 0)

It's an accelerator indeed. I guess it's a Cacheflow (http://www.cacheflow.com). We have a farm of those ourselves and they all show up with Mozilla/3.01_(compatible).

themoff

10:19 am on Aug 8, 2001 (gmt 0)

I've had this Mozilla/3.01+(compatible;) turn up at my site, and all he seems to want is images, and occassionally a .css file.
Looking in detail at my logs, the UA is always accompanied by a normal browser UA from the same IP.

littleman

4:38 pm on Aug 8, 2001 (gmt 0)

This must be a commercial scavenging bot. It often comes via proxy IPs, sometimes the users are sloppy and don't check to see if the proxy has HTTP_X_FORWARDED (or it's variants) set on. Here is an example of such a case:

HTTP_ACCEPT = text/html, */*
HTTP_CACHE_CONTROL = max-stale=0
HTTP_USER_AGENT = Mozilla/3.01 (compatible;)
HTTP_X_FORWARDED_FOR = 132.79.8.10 -> home of the sloppy guy.
REMOTE_ADDR = 198.26.122.12
REMOTE_PORT = 36374
Name: WCS1-CBUS.NIPR.MIL

Anyway, the utility *always* has

HTTP_ACCEPT = text/html, */*
HTTP_CACHE_CONTROL = max-stale=0

as part of it's header information.