Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Have you seen this user-agent string?
New on LowEndTalk? Please Register and read our Community Rules.

Have you seen this user-agent string?

howardsl2howardsl2 Member
edited February 2014 in General

In my web server logs, there appear to be a particular user-agent coming from hundreds of different IPs, with requests always being ("GET / HTTP/1.1"), and referrers being empty. A quick search for some of the IPs on google turns out that they are on various spam blocklists. I am thinking that maybe this is a botnet visiting people's websites? I wonder if anyone else noticed this.

Here's the "exact" user-agent string I'm referring to:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)

Comments

  • NeoonNeoon Member, Community Contributor

    Maybe HTTPTrack where you can download websites?

  • SilvengaSilvenga Member

    Looks just like the standard Internet Explorer 9 (Trident/5.0) running on Windows 7 (NT 6.1) running in compatibility mode (MSIE 7.0). This could be from any IE based browser (or .net application - sends the same user agent).

    Is the IP within an ISP subnet?

  • howardsl2howardsl2 Member
    edited February 2014

    @Silvenga said:
    Is the IP within an ISP subnet?

    No, they are from all over the world. Here's an exerpt of the log from last few days, with only the user-agent in question:

    112.36.166.X - - [19/Feb/2014:21:19:53 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
218.29.216.X - - [19/Feb/2014:21:22:10 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
123.205.17.X - - [19/Feb/2014:21:22:52 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
61.159.57.X - - [19/Feb/2014:21:28:16 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
111.16.105.X - - [19/Feb/2014:21:30:58 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
103.31.144.X - - [20/Feb/2014:00:06:43 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
27.43.101.X - - [20/Feb/2014:03:17:14 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
124.135.231.X - - [20/Feb/2014:03:19:19 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
78.189.108.X - - [20/Feb/2014:07:08:58 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
222.247.38.X - - [20/Feb/2014:07:09:09 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
49.122.70.X - - [20/Feb/2014:07:21:27 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
27.186.119.X - - [21/Feb/2014:08:55:11 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
122.121.20.X - - [21/Feb/2014:08:58:39 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
122.165.226.X - - [21/Feb/2014:09:03:29 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
117.164.183.X - - [21/Feb/2014:09:08:26 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
92.85.92.X - - [21/Feb/2014:09:17:55 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
222.189.57.X - - [22/Feb/2014:11:51:57 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
60.10.57.X - - [22/Feb/2014:11:52:22 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
27.46.77.X - - [22/Feb/2014:11:54:03 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
112.247.82.X - - [22/Feb/2014:12:02:27 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
101.16.78.X - - [23/Feb/2014:04:01:30 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
110.174.143.X - - [23/Feb/2014:04:06:15 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
183.218.34.X - - [23/Feb/2014:04:06:19 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
122.159.36.X - - [23/Feb/2014:04:08:54 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
58.100.108.X - - [23/Feb/2014:04:10:26 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
111.251.166.X - - [23/Feb/2014:04:11:23 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
124.132.161.X - - [23/Feb/2014:04:16:33 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
61.172.115.X - - [23/Feb/2014:19:36:37 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
123.171.52.X - - [23/Feb/2014:20:00:49 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
111.248.183.X - - [23/Feb/2014:22:06:05 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
60.223.234.X - - [24/Feb/2014:08:35:05 -0600] "GET / HTTP/1.1" 200 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)" "-"
  • MagiobiwanMagiobiwan Member

    Probably a Windows based botnet. The fact it's using IE9 indicates that updates likely haven't been installed in a while.

    Thanked by 2howardsl2 Gunter
Sign In or Register to comment.