srecorder dot com

Forum Moderators: open

Message Too Old, No Replies

srecorder dot com

lucy24

10:07 pm on Jul 1, 2014 (gmt 0)

Can anyone elucidate?

186.241.123.abc - - [01/Jul/2014:10:40:49 -0700] "GET / HTTP/1.1" 200 2558 "http:/ /screen-recorder.srecorder.com/screen-recorder.php?u=http://example.com" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"

(IP lightly obfuscated because it's probably an infected human machine) followed by all supporting files including analytics, exactly as if human.

Grounds for suspicion: (a) request for front page, which frankly nobody ever visits, and (b) Brazilian neighborhood best known --to me, that is-- for humanoids with semalt referer.

Referer site claims to be based in Tortuga, British Virgin Islands, but clearly not the work of a native English speaker.

aristotle

3:07 pm on Jul 4, 2014 (gmt 0)

I'm not sure if this applies to this case, but if multiple pages are fetched, the time intervals between fetches are usually much smaller for a bot than for a real human.

lucy24

8:25 pm on Jul 4, 2014 (gmt 0)

I think they only got the front page. Maybe one more. But the full complement of supporting files-- with humanoid timing-- is a non-robotic touch. And of course it wasn't preceded by a human request for the same page, or I wouldn't even ask. (I mean things like BlueCoat, where the AV steps in and requests a page after the human browser has already asked for it.)

Sometimes I get people opening pages in tabs, so there's a flurry of requests, a few seconds apart. But they'll all have the same referer, so you can see what they're doing.