For many years I've observed requests for page license.php on my webservers, from various IPs and with various User Agent Strings: -
"Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MRA 4.4 (build 01334))" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" "Mozilla/4.0 (compatible; Synapse)" Mozilla/5.0 "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0" Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.345.930 Safari/535.1 "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0" "Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0" Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0" "Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" "Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.35 Safari/537.36" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36." Opera/9.15
A couple of days ago (September 12th), I got 3 requests with User Agent String "$ua.tools.random()" (IP 178.137.93.108). This must be a configuration error: it looks like an expression to select a random User Agent String. Please post a comment is you recognize this type of expression ($ua.tools.random()), and know which tool or programming language this is.
Didier Stevens Senior handler |
DidierStevens 533 Posts ISC Handler Sep 15th 2018 |
Thread locked Subscribe |
Sep 15th 2018 2 years ago |
This IP looks like it's a habitual WordPress vulnerability scanner....
https://www.abuseipdb.com/check/178.137.93.108 Can't find the specific library being used, but looks pretty custom - no library would used the method name .tools.random to return a User Agent. 'tools' is way too generic a term for something that specific..... LL&P Dom McIntyre De Vitto |
DomMcIntyreDeVitto 45 Posts |
Quote |
Sep 16th 2018 2 years ago |
Doing a search for $ua.tools.random gives me the following link: https://www.webhostingtalk.nl/beveiliging/186059-brute-force-login-attacks-user-agent-tools-ua-random.html
It's not exactly the same, but everything I read suggests there is some tool doing all kinds of Wordpress scan stuff that is being used here. Jan Hugo |
Anonymous |
Quote |
Sep 17th 2018 2 years ago |
Thanks for that link Jan Hugo.
|
DidierStevens 533 Posts ISC Handler |
Quote |
Sep 20th 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!