Forum Moderators: open
I found a couple strange UA's when I checked my Webalizer logs this morning. Because webalizer parses the the log files itself, I cannot be sure of what the REAL UA is, but I have grep'ed for the strings reported by UA, and no matches... so, obviously, I do not have IP's either (yet!)
I was hoping sdomeone might know what these really are, or how/what I could grep the logs with to get the real info!
The "reported" UA's are:
@\tG
and
H p\xfc\rH
thanks!
dave
I haven't used Webalizer in nearly two years.
Is it possible you could gather either the IP or UA from another section of the stats? Referrer or something else?
No, unfortunately, that is my only clue. The web log itself is too large to go through by hand, and a search for "@\tG" or "H p\xfc\rH" turns up nothing.
Webalizer gives you a UA, the number of hits and %, so no other clues!
dave
Try searching your logs for just "xfc" - I've seen than substring several times before. It's some automated agent that makes a UA out of some strange way of expressing hexadecimal octets. If that doesn't make sense, don't worry, 'cause it's sort of a "fuzzy" definition of what I've seen anyway. :)
Jim
SetEnvIf User-Agent ^MFC keep_out
67.80.136.133 - - [30/Oct/2002:22:12:13 -0800] "GET / HTTP/1.1" 200 14146 "-" "MFC Foundation Class Library 4.0"
Thanks for the advice... I do not think it is MFC Foundation Class Library, that one does show fine usually.
Jim- I gave xfc and fc and a couple other substrings a quick grep through the logs, and did not match anything (that mattered)
I was wondering if "/x" or something like that was any kind of , well, not hex-code (even I know it is NOT that!), but some sort of escape code or something...
dave
I found it!
the IP is 216-164-247-67, and the UA is "H p\xfc\rH"
From the log:
216-164-247-67.s2543.apx1.sbo.ma.dialup.rcn.com - - [02/Feb/2003:20:33:40 -0700] "GET /bcdb/detailed.cgi?film=55344&p=s HTTP/1.1" 200 12597 "http://www.widgets.com/detailed.cgi?film=55344" "H p\xfc\rH"
Patern looks like a human browser... not too quick or anything, and I see a natural prograssion drilling down through the pages.
So I guess it is just a weirdo with a strange UA... but it looks OK!
dave
xfc rang a bell as a hex code; "0x12ab4cde" is a common way of expressing a 32-bit hex number. As such, "xfc" could be short for "0xfc" - a valid 8-bit quantity. And your inability to find the ua in your logs indicted that somehow the characters were "hiding" by being encoded or escaped in some manner.
That is a pretty weird ua for a human, but I guess it takes all kinds... Jeez, I even set my Opera browser to identify as Opera and pass referrers - I must be gettin' old and boring... :)
Jim
In Perl \xfc would match the hexadecimal equivalent (fc) of the character ü.
\r matches a carriage return.
H pü
H
Make any sense?
H pü
H
Doesn't make any sense at all (to me), but at least you've given us the key to decode the original string.
Thanks!
Jim
But in this instance- luckily- he was just browsing...
Thanks for all the help!
dave
