strange browser string (Mozilla/4.0 ... compatible)

sehh

sehh

Well-Known Member
Feb 11, 2006
579
6
168
Europe
I've noticed in my logs some strange behaviour from a few rare clients.

Things appear normal at first, I see a Chrome browser sending requests like:

Code: 
"GET /favicon.ico HTTP/1.1" 200 1406 "mydomain.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
Then all of a sudden, I see a flurry of requests (about 50+ requests) all within a second or two, like:

Code: 
"GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible;)"
You see a 404 here because my modsec2 rules block these kind of fake browser strings. But it is strange, what kind of client generates 50+ requests like that after what appears to be a normal user session/browsing?

Is it some kind of trojan/virus/rootkit that sends additional requests behind the users back? Or is it some proxy/accelerator trying to play it clever and download stuff ahead of time?

Any help would be appreciated.

Thank you.
 
sehh

sehh

Well-Known Member
Feb 11, 2006
579
6
168
Europe
That is irrelevant to my question and as I already mentioned above, the 404 comes from my custom modsec2 rules that block fake browser strings.

My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
 
rhenderson

rhenderson

Well-Known Member
Apr 21, 2005
784
2
168
Oklahoma
cPanel Access Level
Root Administrator
sehh said:
That is irrelevant to my question and as I already mentioned above, the 404 comes from my custom modsec2 rules that block fake browser strings.

My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
Click to expand...
Wow, ok, good luck.
 
I

Infopro

Well-Known Member
May 20, 2003
17,075
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
sehh said:
...

My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
Click to expand...
Seen it before? Yes sure. Google it, "Mozilla/4.0 (compatible;)" and see 81 million more.

What kind of software produces this? A malware compromised computer with an edited User Agent string might do this. Proxy applications that prefetch your nonexistent favicon might do this, for example.

This isn't a cPanel issue though, do some homework on the topic.
 
  • Like
Reactions: rhenderson
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
J Strange programs running server Security 2
R Security advisor strange results Security 20
R Strange Virus in Cpanel Security 6
B Strange status in Apache status Security 5
R strange requests Security 3
Similar threads
Strange programs running server
Security advisor strange results
Strange Virus in Cpanel
Strange status in Apache status
strange requests
Top Bottom