strange browser string (Mozilla/4.0 ... compatible)
I've noticed in my logs some strange behaviour from a few rare clients.
Things appear normal at first, I see a Chrome browser sending requests like:
Then all of a sudden, I see a flurry of requests (about 50+ requests) all within a second or two, like:
You see a 404 here because my modsec2 rules block these kind of fake browser strings. But it is strange, what kind of client generates 50+ requests like that after what appears to be a normal user session/browsing? Is it some kind of trojan/virus/rootkit that sends additional requests behind the users back? Or is it some proxy/accelerator trying to play it clever and download stuff ahead of time? Any help would be appreciated. Thank you.
"GET /favicon.ico HTTP/1.1" 200 1406 "mydomain.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
Then all of a sudden, I see a flurry of requests (about 50+ requests) all within a second or two, like:
"GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible;)"
You see a 404 here because my modsec2 rules block these kind of fake browser strings. But it is strange, what kind of client generates 50+ requests like that after what appears to be a normal user session/browsing? Is it some kind of trojan/virus/rootkit that sends additional requests behind the users back? Or is it some proxy/accelerator trying to play it clever and download stuff ahead of time? Any help would be appreciated. Thank you.
-
Your probably getting a 404 because the favicon.ico doesn't exist for that domain. 0 -
That is irrelevant to my question and as I already mentioned above, the 404 comes from my custom modsec2 rules that block fake browser strings. My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before. 0 -
[quote="sehh, post: 1606022">That is irrelevant to my question and as I already mentioned above, the 404 comes from my custom modsec2 rules that block fake browser strings. My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
Wow, ok, good luck.0 -
[quote="sehh, post: 1606022">... My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
Seen it before? Yes sure. Google it, "Mozilla/4.0 (compatible;)" and see 81 million more. What kind of software produces this? A malware compromised computer with an edited User Agent string might do this. Proxy applications that prefetch your nonexistent favicon might do this, for example. This isn't a cPanel issue though, do some homework on the topic.0
Please sign in to leave a comment.
Comments
4 comments