Welcome to WebmasterWorld Guest from 18.232.171.18

Forum Moderators: Ocean10000

Firefox on Mac User-agent -> version number is 4-digit hex value

Seeing coordinated bot activity

     
12:49 pm on Aug 14, 2019 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 8, 2016
posts:95
votes: 0


Don't know if what I'm seeing is new or known or useful. Yesterday I searched my web logs for this string:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:6

This is Firefox browser running on a Mac. I was looking for examples similar to this:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0

What I found was this:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:63.0) Gecko/20100101 Firefox/63.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:65.0) Gecko/20100101 Firefox/65.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:67.0) Gecko/20100101 Firefox/67.0

Hits where FF version is 63 are only seen in Dec 2018. Maybe 3 hits. Hits where FF version is 65 are only seen April / May this year. Only 2 hits. Hits where FF version is 67 happened only once - in July. This was the only hit to my website (landing page). All other hits were direct to pdf files on my site. I presume that Gecko/20100101 is correct / legit.

In brief:

I see very very few hits from Firefox 6x running on a Mac. For what I know are legit hits, I'm only seeing FF version 63, 65 and 67. Why no other versions of FF, I don't know.

The hits from FF 62 are different. First time I see it (March 14 from 23.233.136.60) the UA is this:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/62.0

It requests robots.txt and my landing file (default.html). No referrer. Anything that requests just my landing file is suspicious. A normal hit should request 28 additional .gif files.

But get this: 6 days later, at exactly the same second, two different IP's (66.91.4.47 and 35.3.1.43) request the same pdf file from my site. The UA's are:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/1C76
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:62.0) Gecko/20100101 Firefox/5DD5

Note how the version has changed on the end of the UA to a 4-character hex value.

Once more in June, and then 10 times this month so far, I'm seeing direct hits to PDF's on my site, where the UA is similar (ie with 4-digit hex value). Of these 10, only 1 example of a hit from 2 different IP's to the same PDF (this time 13 minutes apart) - from 146.198.209.66 and 221.165.27.22. Why two hits? Because I gave the first hit a 403 (denied). It was part of CIDR I was blocking for some reason.

So I'm obviously observing coordinated bot activity here. All these dozen or so IP's are from residential ISP's scattered around the globe. Why they're interested in my PDF files, I don't know.

My last question - is FF on MAC user-agent proper or legit when it ends with a 4-digit hex value? If yes - what is the intended function of that? If no, why would a bot generate such a UA?
4:44 pm on Aug 14, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15756
votes: 828


Nope, FF for Max uses ordinary sequential numbers just like everyone else. Mine's currently 68.blahblah; so far FF (unlike Chrome) hasn't tried to claim that my OS is too old to support the latest version.

Can't remember what triggered it in the first place, but I've got a longstanding block on
Firefox/\D
(non-digit version number, alongside all versions through 35)
which could easily be expanded to
Firefox/\d\D

:: quick detour to logs ::

Whoops! I forgot that . is also a non-digit, leading to thousands of putative FF/5 for all the good it does them. I do find a few of the kind you describe, though mine all claim to be Linux like
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/4E2F
all from the early months of this year, all blocked.

why would a bot generate such a UA?
Typo in the script, probably.

Edit: Looking for Firefox/\D I find a scattering of
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.x.x) Gecko/20041107 Firefox/x.x
which simply cries out Inept Botrunner ;)
5:08 pm on Aug 14, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 30, 2002
posts: 2661
votes: 103


Looks like a botnet. I've seen it as well and it was attempting to download hundreds of thousands of pages a day. It was coming mainly from ISPs where PCs seem to have open proxies. The hexadecimal value seemed to be part of some kind of coordination as to different bots having lists of files to download. During the worst of the activity, I had to block entire countries by IP address.

Regards...jmcc
1:38 am on Aug 16, 2019 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 8, 2016
posts:95
votes: 0


Since 2015 I have 116 examples of user-agents that end with:

Gecko/20100101 Firefox/hhhh

where hhhh is a 4-character hex number. 99 of of those 116 are:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv: nn)

Where nn is either 51.0, 55.0 or 62.0. These 99 Mac examples start March 28 / 2017 and seem evenly spaced right up to a day or two ago. The remaining 18 examples start with one of these:

Mozilla/5.0 (Windows NT 5.1; rv:30)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40)
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56)

Those were logged in 2015, 2017 and 2018. So none this year. Those 18 are also different in that they only request my landing file (default.html) or wp-login.php or /wp-admin/ (which I don't have).

The 99 Mac hits have a pattern to them. They only request PDF files. I will see 2 or 3 requests for the same PDF file on the same day, each request from a different IP. Doing a reverse lookup on them - they all seem to be consumer ISP's distributed across the globe. Various telecom and cable companies. I see one instance of an institutional IP (wireless.umich.net) and one instance of a hoster (OVH).

Half of the Mac hits did not have a referrer. They started to include a referrer in Nov 2017 but then dropped it at the end of 2018. The referrer being used was //scholar.google.ca - which would be legit because the PDF's in question were scientific research papers. Normally when a PDF is requested so is favicon.ico but none of these bot hits are doing that.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members