Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

strange browser string (Mozilla/4.0 ... compatible)

Discussion in 'Security' started by sehh, Mar 26, 2014.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    I've noticed in my logs some strange behaviour from a few rare clients.

    Things appear normal at first, I see a Chrome browser sending requests like:

    Code:
    "GET /favicon.ico HTTP/1.1" 200 1406 "mydomain.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
    
    Then all of a sudden, I see a flurry of requests (about 50+ requests) all within a second or two, like:

    Code:
    "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible;)"
    
    You see a 404 here because my modsec2 rules block these kind of fake browser strings. But it is strange, what kind of client generates 50+ requests like that after what appears to be a normal user session/browsing?

    Is it some kind of trojan/virus/rootkit that sends additional requests behind the users back? Or is it some proxy/accelerator trying to play it clever and download stuff ahead of time?

    Any help would be appreciated.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    1
    Trophy Points:
    166
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Your probably getting a 404 because the favicon.ico doesn't exist for that domain.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    That is irrelevant to my question and as I already mentioned above, the 404 comes from my custom modsec2 rules that block fake browser strings.

    My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    1
    Trophy Points:
    166
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Wow, ok, good luck.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,565
    Likes Received:
    438
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Seen it before? Yes sure. Google it, "Mozilla/4.0 (compatible;)" and see 81 million more.

    What kind of software produces this? A malware compromised computer with an edited User Agent string might do this. Proxy applications that prefetch your nonexistent favicon might do this, for example.

    This isn't a cPanel issue though, do some homework on the topic.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    rhenderson likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice