The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

strange browser string (Mozilla/4.0 ... compatible)

Discussion in 'Security' started by sehh, Mar 26, 2014.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    I've noticed in my logs some strange behaviour from a few rare clients.

    Things appear normal at first, I see a Chrome browser sending requests like:

    Code:
    "GET /favicon.ico HTTP/1.1" 200 1406 "mydomain.com" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
    
    Then all of a sudden, I see a flurry of requests (about 50+ requests) all within a second or two, like:

    Code:
    "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/4.0 (compatible;)"
    
    You see a 404 here because my modsec2 rules block these kind of fake browser strings. But it is strange, what kind of client generates 50+ requests like that after what appears to be a normal user session/browsing?

    Is it some kind of trojan/virus/rootkit that sends additional requests behind the users back? Or is it some proxy/accelerator trying to play it clever and download stuff ahead of time?

    Any help would be appreciated.

    Thank you.
     
  2. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Your probably getting a 404 because the favicon.ico doesn't exist for that domain.
     
  3. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    That is irrelevant to my question and as I already mentioned above, the 404 comes from my custom modsec2 rules that block fake browser strings.

    My question is, what kind of software (legitimate or otherwise) produces such silly browser strings and if anyone has seen it before.
     
  4. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    Wow, ok, good luck.
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Seen it before? Yes sure. Google it, "Mozilla/4.0 (compatible;)" and see 81 million more.

    What kind of software produces this? A malware compromised computer with an edited User Agent string might do this. Proxy applications that prefetch your nonexistent favicon might do this, for example.

    This isn't a cPanel issue though, do some homework on the topic.
     
    rhenderson likes this.
Loading...

Share This Page