User-agent: Mozlila (sic)

Forum Moderators: open

Message Too Old, No Replies

User-agent: Mozlila (sic)

Typo or attempt to look legit?

Martin Potter

5:59 pm on Sep 12, 2022 (gmt 0)

My site has been hit lately, multiple times, using multiple IP addresses, probing for files and directories that do not exist on my site, by a prober with user-agent :
Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36

Yes, "Mozlila". And "Bulid" and "Moblie" Safari, too.

All hits claimed to be from referer www.google.com.

Am I just waking up to this clever typo, or has he been around for a while?

not2easy

6:08 pm on Sep 12, 2022 (gmt 0)

A few years at least, sorry to say. :( See (2020) [webmasterworld.com...]

I added it to my UA blocks.

Martin Potter

7:45 pm on Sep 12, 2022 (gmt 0)

Thanks, not2easy. Think I am awake now! I must have missed that thread in my quick search. (Note to self about quick searches ... )
I will block Mozlila now. Thanks again!

lucy24

7:59 pm on Sep 12, 2022 (gmt 0)

Heh. I took a quick look at raw logs to see if they're still active, because once blocked, things tend to be out of sight out of mind. Yup, still at it.

Interestingly, a significant majority of them--over 80%--give "www.google.com" [sic] as referer. Maybe they all bought the same ineptly coded script.

tangor

11:29 pm on Sep 12, 2022 (gmt 0)

Oddly enough, I have "google.com" (solo, nothing else) in my referer DENY for the same reason. I'll have to take another look to see if "www.google.com" deserves to be added.