Obfuscated bot? Phone? Any code-breakers in the house?

Forum Moderators: open

Message Too Old, No Replies

Obfuscated bot? Phone? Any code-breakers in the house?

Pfui

6:54 pm on Feb 6, 2009 (gmt 0)

Today's log-bloating UA puzzler, courtesy of a telewest.net (UK) visitor, hit our front door like a legit visitor and then moved on:

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; CK={x48tqD5OoTS1SzYljlYgn+nzdcQRN4f4wjuiR3aN4/21mFtS0BFJBcXB1lVS40IUn/CBh2OEyA1uWdmHco8dvW9Z/9OGwONT}; .NET CLR 2.0.50727)

Richard Ishida's truly nifty Unicode Code Converter [people.w3.org] couldn't make hide nor hair out of the CK={gibberish}. Any ideas?

incrediBILL

9:34 pm on Feb 7, 2009 (gmt 0)

Not positive, but I think it's some sort of proxy authentication code.

GaryK

11:52 pm on Feb 7, 2009 (gmt 0)

I've seen two similar UAs. First contact was made about a month ago for both. Both have visited in the past week. First one visited 5 times this week. Second one visited 52 times this week. Neither one triggered any bad-bot alarms. Note that the second one is malformed, lacking a closing parenthesis.

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; CK={cUIFAqbeKUEXyW35IIHdYgMW2w g7nLQKq0B1Q8rNKKmRazKCaSYGpaXGBNjht461zAgkgUwHCzV OLd0e0fAHAI7XUh9Y7VtGD3A7WezcE=}; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; CK={cUIFAqbeKUH4Cy Ei4KLAvcPCTVrjXlIyeBkpn8lTIWXg84HIjEcM2KODDoJiVKVxpS961q Cx/VoWP 1crndH6rGfWIPgW1S6R3QydMvEg=}; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.215