Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: User Agent String "$ua.tools.random()" ? :-) ! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
User Agent String "$ua.tools.random()" ? :-) !

For many years I've observed requests for page license.php on my webservers, from various IPs and with various User Agent Strings:

-
"Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MRA 4.4 (build 01334))"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
"Mozilla/4.0 (compatible; Synapse)"
Mozilla/5.0
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0"
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.345.930 Safari/535.1
"Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
"Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"
"Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
"Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.35 Safari/537.36"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36."
Opera/9.15

 

A couple of days ago (September 12th), I got 3 requests with User Agent String "$ua.tools.random()" (IP 178.137.93.108).

This must be a configuration error: it looks like an expression to select a random User Agent String.

Please post a comment is you recognize this type of expression ($ua.tools.random()), and know which tool or programming language this is.

 

Didier Stevens

Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 DidierStevens

383 Posts
ISC Handler
Subscribe Sep 15th 2018
11 months ago
This IP looks like it's a habitual WordPress vulnerability scanner....
https://www.abuseipdb.com/check/178.137.93.108

Can't find the specific library being used, but looks pretty custom - no library would used the method name .tools.random to return a User Agent. 'tools' is way too generic a term for something that specific.....

LL&P
Dom McIntyre De Vitto
 DomMcIntyreDeVitto

41 Posts
Quote Sep 16th 2018
11 months ago
Doing a search for $ua.tools.random gives me the following link: https://www.webhostingtalk.nl/beveiliging/186059-brute-force-login-attacks-user-agent-tools-ua-random.html

It's not exactly the same, but everything I read suggests there is some tool doing all kinds of Wordpress scan stuff that is being used here.

Jan Hugo
 Anonymous
Quote Sep 17th 2018
11 months ago
Thanks for that link Jan Hugo.
 DidierStevens

383 Posts
ISC Handler
Quote Sep 20th 2018
10 months ago

Sign Up for Free or Log In to start participating in the conversation!