0

I found the following interesting traffic in my apache log:

213.159.213.236 - - [16/Dec/2019:03:02:03 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"
213.159.213.236 - - [16/Dec/2019:03:02:19 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"
213.159.213.236 - - [16/Dec/2019:03:02:25 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
213.159.213.236 - - [16/Dec/2019:03:02:40 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
213.159.213.236 - - [16/Dec/2019:03:02:48 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]"
213.159.213.236 - - [16/Dec/2019:03:03:06 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"
213.159.213.236 - - [16/Dec/2019:03:04:22 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"
213.159.213.236 - - [16/Dec/2019:03:04:36 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
213.159.213.236 - - [16/Dec/2019:03:04:51 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9"
213.159.213.236 - - [16/Dec/2019:03:05:06 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"
213.159.213.236 - - [16/Dec/2019:03:05:26 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246"
213.159.213.236 - - [16/Dec/2019:03:05:37 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36"
213.159.213.236 - - [16/Dec/2019:03:07:23 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]"
213.159.213.236 - - [16/Dec/2019:03:07:37 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]"
213.159.213.236 - - [16/Dec/2019:03:07:57 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36"
213.159.213.236 - - [16/Dec/2019:03:08:07 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
213.159.213.236 - - [16/Dec/2019:03:08:22 -0500] "GET / HTTP/1.1" 200 3797 "-" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01"
213.159.213.236 - - [16/Dec/2019:03:08:26 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)"
213.159.213.236 - - [16/Dec/2019:03:09:13 -0500] "GET / HTTP/1.1" 200 3797 "-" "Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01"
213.159.213.236 - - [16/Dec/2019:03:09:24 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
213.159.213.236 - - [16/Dec/2019:03:09:35 -0500] "GET / HTTP/1.1" 200 3797 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"

What is the point of this? What is this attacker trying to accomplish by pretending to run Bork edition of Opera from 2003, or still using Firefox 3.6 on Ubuntu 10.04? Is it simply to poison any site statistics I might have on my visitors? If so, wouldn't it make sense to spoof a more likely user agent, like IE 8.0...?

I'm hoping for any insights you might have.

Logg
  • 103
  • 2
  • 1
    This might be more appropriate for security.stackexchange.com instead. You might get an off-topic here. Also, it's probably a good idea to scrub the IP addresses (replace the last octet with .x.x should be good enough). – djsumdog Dec 16 '19 at 18:44
  • yea, I thought about scrubbing the IP, but it's been reported like 100 times in the ip abuse database so, it's not actually an IP I need to protect. Thanks for the security.stackexchange.com URL, didn't know that existed. – Logg Dec 17 '19 at 06:25

2 Answers2

2

When dealing with sources of malicious traffic, systems administrators can go by two readily available metrics in order to ban someone:

  • IP address
  • User-agent string

Normally, the rule would be "if $IP = x.x.x.x AND $USER_AGENT = yyy then return 403 and exit". Therefore, malicious scanners try to make sure that both their IP and their user-agent are different between requests:

  • they use a distributed network of zombie devices to proxy their traffic through thousands of different IPs
  • they rotate user-agent strings to make sure they are never the same (but still reasonably believable)
mricon
  • 1,154
  • 7
  • 9
0

We cannot possibly explain the motives of some almost anonymous user agent on the Internet.

Could be a malicious actor amusing themselves with a user agent generator. Could be a somewhat benign survey of server behavior with different user agents. Could be a NAT behind which are the most bizarre selection of old browsers.

Block the IP or throw out the user agent outliers, if you care. It is noise. Trying to see signal in it may not be very productive.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32