[Dshield] Single IP address hitting weblog as multiple browser types -- Anyone know why?

jmac jmac at securityninjamonkeys.com
Mon Oct 25 18:49:15 GMT 2004


Hey all,

Wondering if anyone has seen anything like this in their web log (redacted):

"Mozilla/4.0 (compatible; MSIE 5.0; Windows XP) Opera 6.01 [de]" "-" "-" "-"
"Mozilla/5.0 (Windows XP; U) Opera 6.01 [en]"" "-" "-" "-"
"Mozilla/5.0 (Windows XP; U) Opera 6.01 [en]"" "-" "-" "-"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4.1 [Block] ) 
Gecko/20020508 Netscape6/6.2.3" "-" "-" "-"
"Mozilla/4.0 (compatible; MSIE 5.0; Windows XP) Opera 6.01 [de]" "-" "-" "-"
"Mozilla/4.76 [en] (WinNT; U)" "-" "-" "-"
"Mozilla/4.0 (compatible; MSIE 5.0; Windows XP) Opera 6.01 [de]" "-" "-" "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) 
Gecko/20020530" "-" "-" "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) 
Gecko/20020530" "-" "-" "-"
"Mozilla/4.0 (Windows NT 4.0)" "-" "-" "-"
"Opera/6.01 (Windows XP; U) [en]" "-" "-" "-"
"Mozilla/4.76 [en] (WinNT; U)" "-" "-" "-"
"Mozilla/4.0 (SunOS 5.8)" "-" "-" "-"
"Opera/6.01 (Windows XP; U) [en]" "-" "-" "-"
"Mozilla/4.76 [en] (WinNT; U)" "-" "-" "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) 
Gecko/20020530" "-" "-" "-"
"Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:0.9.8) Gecko/20020204" "-" 
"-" "-"

Each of these entried were sourced from the same IP address hitting the 
webroot.  The time frame between these hits indicated it to be a fairly 
rapid bot/script.  My question is, does anyone know what tool does this, 
and does anyone know WHY someone would do this?

Jmac



More information about the list mailing list