Welcome to WebmasterWorld Guest from 54.82.10.219

Forum Moderators: Ocean10000 & keyplyr

Message Too Old, No Replies

$ua

     
11:13 pm on Jun 25, 2016 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


UA: $UA
Protocol: HTTP/1.1
Robots.txt: No
Host: simpli.fi
169.54.19.96 - 169.54.19.127
169.54.19.96/27
Parent: softlayer.com
169.54.0.0 - 169.55.255.255
169.54.0.0/15
also...
Host: Private Customer (name exemplified for anonymity)
158.85.198.128 - 158.85.198.159
158.85.198.128/27
Parent: softlayer.com
158.85.0.0 - 158.85.255.255
158.85.0.0/16
also...
Host: theplanet.com (softlayer.com)
184.172.0.0 - 184.173.255.255
84.172.0.0/15

Ad marketing.

Been seeing this UA for a few weeks. When a RegEx attribute is used to start a UA sting, IMO they are attempting to sneak past htaccess defenses, so I have alternate blocking methods in place; ironic since I usually allow marketing companies.
1:38 am on June 26, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15313
votes: 708


When a RegEx attribute is used to start a UA string

I don't see why. All you have to say in return is
^\W
or, if that's too all-encompassing,
^\$

:: detour to refresh memory ::

Yup. Even on, my new, shorter bad_agent list, I still have ^\W along with ^-?$ just to cover all bases.

:: wandering off to TextWrangler to check how often they even occur (other than absent UA string, which comes through in logs as - hyphen) ::

The most common is
\"Mozilla
[sic, with matching \" at the far end] which I have to say bespeaks stupidity on the part of the bot-runner. It's the robotic equivalent of "I comma insert your name here comma" et cetera.

Also the occasional opening () which walks off with a handy 418 so I don't even need to think about it. (I don't save error logs, so I don't know if () by itself was the mod_security pattern.)
1:45 am on June 26, 2016 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


Well I did say "attempting..." but now that you've spilled the beans they will probably change their UA accordingly.


(joking)
1:57 am on June 26, 2016 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


AFAIK \"Mozilla is a bookmark link validator and not a bot. I see it seldom but have always allowed it without issue.
6:18 am on June 26, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15313
votes: 708


I don't think this is a bookmark link validator.
195.211.155.ddd - - [13/Feb/2015:23:37:02 -0800] "GET /xmlrpc.php HTTP/1.1" 403 3301 "http://example.com/xmlrpc.php" "\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0\""

or this
93.115.84.ddd - - [20/Feb/2015:21:39:17 -0800] "GET /customer/account/login HTTP/1.1" 403 3357 "http://example.com/customer/account/login" "\"Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\""

or this
5.63.146.ddd - - [24/Jan/2015:17:46:56 -0800] "GET /admin/ HTTP/1.1" 403 3357 "http://example.com/admin/" "\"Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\""

(Hm. I think autoreferer must be part of the bot script.) There were lots more; I just grabbed the first three.

I think I've been told at least twice what xmlrpc.php is, but it won't stick :(
6:29 am on June 26, 2016 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


Well that's a different UA. I just meant the "\"Mozilla part.

Pretty sure I ID'd that one last year about the same time as the xmlrpc.php exploit.

Here's the exploit report:
[webmasterworld.com...]

Still think the first part of the UA is a bookmark updater, so possibly it is being included as part of a UA spoof in this bot of yours, but who knows?

IMO once these exploit scripts prove to be sucessful, they get repackaged, sold and resold. Parts of one become parts of another.
4:35 pm on June 26, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15313
votes: 708


Ah, that's what it was. So basically it's another way of saying "Psst, hey you, website, got any WordPress files I can attack?" One of those times when returning a manual 404 may be the most effective response, if you can bring yourself to do it.
11:26 am on June 27, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member andy_langton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 27, 2003
posts: 3332
votes: 140


$UA


Perhaps they've intended to set a UA with the variable $UA, and just failed to code correctly and passed it as a string? I see a few user-agents where this happens.
12:56 pm on June 27, 2016 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 891


Hadn't thought of that, thanks.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members