strange browser string (Mozilla/4.0 ... compatible)

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
I've noticed in my logs some strange behaviour from a few rare clients.

Things appear normal at first, I see a Chrome browser sending requests like:

Code:
"GET /favicon.ico HTTP/1.1" 200 1406 "mydomain.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
Then all of a sudden, I see a flurry of requests (about 50+ requests) all within a second or two, like:

Code:
"GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible;)"
You see a 404 here because my modsec2 rules block these kind of fake browser strings. But it is strange, what kind of client generates 50+ requests like that after what appears to be a normal user session/browsing?

Is it some kind of trojan/virus/rootkit that sends additional requests behind the users back? Or is it some proxy/accelerator trying to play it clever and download stuff ahead of time?

Any help would be appreciated.

Thank you.
 

sehh

Well-Known Member
Feb 11, 2006
579
5
168
Europe
That is irrelevant to my question and as I already mentioned above, the 404 comes from my custom modsec2 rules that block fake browser strings.

My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
 

rhenderson

Well-Known Member
Apr 21, 2005
785
2
168
Oklahoma
cPanel Access Level
Root Administrator
That is irrelevant to my question and as I already mentioned above, the 404 comes from my custom modsec2 rules that block fake browser strings.

My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
Wow, ok, good luck.
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
...

My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
Seen it before? Yes sure. Google it, "Mozilla/4.0 (compatible;)" and see 81 million more.

What kind of software produces this? A malware compromised computer with an edited User Agent string might do this. Proxy applications that prefetch your nonexistent favicon might do this, for example.

This isn't a cPanel issue though, do some homework on the topic.
 
  • Like
Reactions: rhenderson