Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: User Agent String "$ua.tools.random()" ? :-) ! SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
User Agent String "$ua.tools.random()" ? :-) !

For many years I've observed requests for page license.php on my webservers, from various IPs and with various User Agent Strings:

-
"Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; MRA 4.4 (build 01334))"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
"Mozilla/4.0 (compatible; Synapse)"
Mozilla/5.0
"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0"
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.345.930 Safari/535.1
"Mozilla/5.0 (Windows NT 6.0; rv:16.0) Firefox/13.0"
"Mozilla/5.0 (Windows NT 6.0; rv:16.0) Gecko/20130722 Firefox/16.0"
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.99 Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0"
"Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Firefox/34.0"
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6 (.NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)"
"Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.35 Safari/537.36"
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36."
Opera/9.15

 

A couple of days ago (September 12th), I got 3 requests with User Agent String "$ua.tools.random()" (IP 178.137.93.108).

This must be a configuration error: it looks like an expression to select a random User Agent String.

Please post a comment is you recognize this type of expression ($ua.tools.random()), and know which tool or programming language this is.

 

Didier Stevens

Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

 DidierStevens

460 Posts
ISC Handler
Sep 15th 2018
Subscribe Sep 15th 2018
1 year ago
This IP looks like it's a habitual WordPress vulnerability scanner....
https://www.abuseipdb.com/check/178.137.93.108

Can't find the specific library being used, but looks pretty custom - no library would used the method name .tools.random to return a User Agent. 'tools' is way too generic a term for something that specific.....

LL&P
Dom McIntyre De Vitto
 DomMcIntyreDeVitto

41 Posts
Quote Sep 16th 2018
1 year ago
Doing a search for $ua.tools.random gives me the following link: https://www.webhostingtalk.nl/beveiliging/186059-brute-force-login-attacks-user-agent-tools-ua-random.html

It's not exactly the same, but everything I read suggests there is some tool doing all kinds of Wordpress scan stuff that is being used here.

Jan Hugo
 Anonymous
Quote Sep 17th 2018
1 year ago
Thanks for that link Jan Hugo.
 DidierStevens

460 Posts
ISC Handler
Quote Sep 20th 2018
1 year ago

Sign Up for Free or Log In to start participating in the conversation!