When it's just one page and no other files, or just one other associated file, it is likely an infected account checking to see how your server responds.

I temporarily block these if they are from ISPs, mobile or otherwise. Often, they come back in a botnet. After a couple months, if I see no further suspect activity from this IP, I remove the block.

IMO this technique has become one of several new favorites for a variety of nefarious purposes.

I get this UA from iPhone multiple times each day, and from different IP's.

"Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53"

All they grab is the main page, and the requests are hardly enough in quantity to be determined crucial and/or pesty.
Thus I just let them pass.

I believe the pone makers (and their OS of choice) are checking everything and caching, just in case the user MIGHT want to go there. Have no proof of that, just LOOKS that way. As the hits are relatively low number at the moment, I'm not taking any action.

Another possibility is that your mobile visitors have 'pinned' your site as if it were an app. They can add your site to their homescreen whether you are mobile friendly or mobile antagonistic. I see a lot of these too that don't look like visitors because they fetch a few images or only html. I haven't investigated in depth, but it could be that they fetch depending on your cache settings.(?) You can read about it at Google Developers: [developers.google.com...]

@ wilderness, tangor & not2easy

I have seen these very same IPs come back after a month or two as part of a botnet. IMO they are not caching, pinned links or not pesty enough. In the last 6 months I have successfully blocked 3 botnet attempts 95% because I had the individual IPs in my block list; IPs that had only previously hit one page or one file, one time.

But that's just me, YMMV.

The google mobile bot pretty much uses the same UA:

"Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Well as you know, UAs hardly mean anything nowadays since almost every web client can easily spoof them. Intruders just cut'paste popular, legit UAs into their hacking tools. I can even run a bit of code that changes my UA with every server request. It's one of the security checks I do each week.

Several years ago I had 200 lines of regex filtering UAs. Now almost all my filters are IP based and only a couple dozen lines deal with UAs, those rules w/ more complex conditions.

If you're dealing with a botnet, you should try to determine:

1. Is it a new botnet that is still growing by the active infection of new machines, or is an old botnet that is slowly decaying away?

2. Out of all the millions of sites on the web, why is the botnet probing your site? Or is it trying to probe all of them?

3. Is there a way to block the botnet other than by trying to block individual IPs? (Hint; In some cases, the answer is yes)

4. Is the operator of the botnet planning to eventually unleash the trojans in all of the infected machines simultaneaously in an all-out DDOS attack against your site?

Generally, varying lists of IPs are rented out by the botnet "owner" to some malefactor. They may be large lists, possibly thousands, or small ones, sometimes only a few dozen, depending on what the "client" wants. Some will be used for spamming, some for hacking or scraping, some for intrusion or attack. Any given IP may be used over a few days or weeks for any or all of those purposes or maybe for something I haven't mentioned.

Some botnet IPs will be atached to servers and others (most) to broadband (home/office) computers. For a variety of reasons these will often be country-specific: some populations are ill-educated in regard to internet; some can/will not use official OSs (eg an old, bootlegged XP in a "poor" country). They may be driven by criminals or by governments (pretty much the same thing in some cases!). But note that it is the computer, not the IP, which is actually part of a botnet.

A number of broadband users will switch from IP to IP over the course of hours, days or weeks, thus negating any particular botnet IP connection which would then be picked up by the botnet owner elsewhere on the computer's next connection to the internet. Some computers are taken off the network when the owner isn't there to play with it, making this a low reliablity node. Others will realise there is something wrong and clean up their machines, completely negating any botnet connection. Other computers' owners will click on something stupid and become a new node on the master botnet for a few hours, days, weeks, years...

In short, a group of botnet IPs used for any given purpose will vary even during a specific "campaign".

I would hope that all here know enough not to become part of a botnet. My personal advice would be to run linux as a desktop machine, updated immediately any "fix" is issued, and to run a very well-maintained linux web server, not (I wish!) a windows server. And to not use android - that is a very exploitable device and CAN be used within a botnet.

dstiles --
Thanks for that post -- it's very informative. Your point about how the IP of an infected device can change is especially illuminating. I hadn't thought about that.

I would hope that all here know enough not to become part of a botnet

I think it happened to me once. It was about 2008, on a Windows XP desktop. I knew something was wrong because browsing would become extremely slow, like taking 10 seconds to download a page that would normally take 2 seconds. This would continue for 15 or 20 minutes, then things would go back to normal for a while, then it would happen again. I thought it must be a trojan taking over the computer during those periods.

I tried several virus and malware programs but none of them could find anything wrong. But I finally got rid of it by restoring the system to an earlier point in time, before the problem appeared.