Old Android 2.2 Froyo UA Checking for Security Loopholes

Forum Moderators: open

Message Too Old, No Replies

Old Android 2.2 Froyo UA Checking for Security Loopholes

TorontoBoy

12:59 pm on Mar 13, 2017 (gmt 0)

Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

GSearched it but did not come up with a perfect match. Android 2.2 is Froyo, 2010, service is discontinued by Google, though I still have an old Froyo phone, it does show its vintage. Multi IP addresses, rinse and repeat of:

GET /wp-login.php HTTP/1.1
GET /administrator/index.php HTTP/1.1
GET /admin.php HTTP/1.1
GET /bitrix/admin/index.php?lang=en HTTP/1.1
GET /admin/login.php HTTP/1.1
GET /admin/ HTTP/1.1
GET /user/ HTTP/1.1

I had previously banned: Bilisim Teknolojileri Netinternet Tr 95.173.160.0 - 95.173.191.255, IP 95.173.160.12 for the same behaviour. This has been revisiting me for a long time, so may be old.

My response: SetEnvif User-Agent "Mozilla\/5\.0 \(Linux; U; Android 2\.2\) AppleWebKit\/533\.1 \(KHTML, like Gecko\) Version\/4.0 Mobile Safari\/533.1" keep_out

lucy24

8:13 pm on Mar 13, 2017 (gmt 0)

I'm pretty sure all you'd need is

"Android 2\.2\)"

with close-parenthesis to eliminate humans with Android 2.2.some-third-number. I searched raw logs and, yup, looks like they're all reading off the same script: I find the same set of seven requests in the same order. Most of them get a 403. Spot-checking reveals that they're sending one or more headers that trigger the bot_header environmental variable. Most robots are missing headers; this one's sending too many. The rest get a 404-- not because those WP files don't exist, although they don't, but because I return a manual 404 to almost all .php requests. (It's the same amount of work for the server as a 403, and conveys no information--or, better yet, conveys false information--to the visitor.)

fwiw, many of them come in with an enormously long cookie including the element “wordpress_test_cookie”. I do not know if this is due to malice or stupidity.

Edit: One unrelated robot uses the "Android 2.2)" element. But it's an image-search utility that I've never authorized (“robots.txt? Wha dat?"), so all they see anyway is the NO HOTLINKS image.

keyplyr

12:01 am on Mar 14, 2017 (gmt 0)

@lucy24 - just a heads-up

If you serve a "NO HOTLINKS image" to unwanted image directories, you may be shooting yourself in the proverbial foot if you care much about getting traffic from images.

The "good" image directory (if there is such a thing) bots also crawl those "bad" image directories and will pick up those images and may attribute them to your site.

@TorontoBoy

This is most likely a bot using a fake UA. The requests are typical.

TorontoBoy

12:24 am on Mar 14, 2017 (gmt 0)

This is most likely a bot using a fake UA.

I'm a bit slow on the uptake. This UA has been bothering me for a number of years. I was banning it through IP, which takes more energy than banning by UA. I always feel somewhat cheated when I find out that I could have banned the whole shebang with the UA and not use IPs. There have been a couple of these "discoveries" since I joined WBW. Oh well, live and learn, better to learn today than not at all!

keyplyr

12:41 am on Mar 14, 2017 (gmt 0)

It's always an individual choice how you configure your site defenses. If you think you'll never get any legit traffic with that UA, then it may be the way to go.

BTW - if your site is HTTPS, valid Android 2.2 should not be making requests to your server since it's not supported. That may confirm the hits are from faked UAs.