Haansoft

Forum Moderators: open

Message Too Old, No Replies

Haansoft

keyplyr

11:04 am on Jun 9, 2015 (gmt 0)

UA: Haansoft

A korean office suite from haansoft.com similar to MS Office. This can also be used to download all the files on a web page and keep going site-wide. Ask me how I know :)

incrediBILL

8:34 am on Jun 10, 2015 (gmt 0)

If that's the whole UA it wouldn't get page 1, ask me how I know :)

keyplyr

9:29 am on Jun 10, 2015 (gmt 0)

ah... because you require "Mozilla"

lucy24

4:06 pm on Jun 10, 2015 (gmt 0)

User-Agent ^\S+$

?

keyplyr

9:59 pm on Jun 10, 2015 (gmt 0)

On my site it failed to get past my header filter, but across my client's sites it got it all. Came in a regular browser seemingly, visiting a couple pages, then ran head checks of entire file hierarchy, then scraped all files attached to these pages. Reminded me of the old httrack.

So since the software looks legit, it is either set-up to do this user-side, or the user tweaked it to do their own bidding.

keyplyr

1:23 am on Jun 13, 2015 (gmt 0)

Just saw variation on UA: Haansoft;

Seems odd to use semicolon without anything following.

lucy24

3:24 am on Jun 13, 2015 (gmt 0)

Seems odd to use semicolon without anything following.

I remember one time wilderness or someone like him started a thread trying to solidify a rule to cover various punctuation oddities that always mean the visitor is up to no good. It was more than a little infuriating because you can look at it with your human eyeballs and instantly say "That punctuation is hinky" but it's inordinately difficult to hammer out a simple RegEx to cover all possibilities. You have to list them all separately.

For example you'd think

[^\w)]$

would be safe* but even constraining raw-logs search to 200s I still find:
-- facebook app ends in ]
-- law-abiding Qwant robot ends in /* (really)
-- probably others; I didn't look too closely

* If you're searching logs you also have to exclude - because that's how Apache handles absent loggable items. But nobody ever puts - at the end of a UA string.

keyplyr

7:19 am on Jun 13, 2015 (gmt 0)

...wilderness or someone like him...

LOL

keyplyr

9:18 am on Jun 13, 2015 (gmt 0)

Regarding rules for unique UA attributes... I pretty much let go of all that. At one time I had a big fat htaccess full of conditions & rules that every visitor had to pass. I was a rule writing fool back in the days of Jim Morgan. Most every conversation we had resulted in a new condition/rule. I was dizzy.

Then one day I discovered that most all these strange UAs went away after a short life of crime (or never returned at all) and I was left with this bloated, archaic code. Yes, a true life changing epiphany.

Now, while still a big fat htaccess file, I just have about 12 rewrite lines, and the rest IP blocks and/or filters that, if triggered, evoke one of several stand alone server-side scripts that deal only with that bad actor and not the rest of my traffic.

Today life is good.

wilderness

10:01 am on Jun 13, 2015 (gmt 0)

wilderness or someone like him

There's not another on the planet that even comes close ;)

FWIW, lucy may be referring to the multiple times I've displayed lines of semicolon and leading and trailing spaces (discussed most recently in the Apache forum and in a thread dealing with quotes and the use of 'exactly as'.)
EX:
SetEnvIf User-Agent " ; " keep_out

Haansoft

keyplyr

incrediBILL

keyplyr

lucy24

keyplyr

keyplyr

lucy24

keyplyr

keyplyr

wilderness

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week