Splunking User Agent strings

Just thought I’d do a quick survey of the kinds of users trying to hit my site, just for the fun of it, heh.

Fired up Splunk to do a quick search over the past 7 days:

index=myblogindex | dedup useragent | fields useragent | sort useragent | format

The resulting string can be easily copied and massaged further in a text editor (replacing the “in between” strings like ” ) OR ( useragent=” with n)

I’m pretty interested still (as always) to see how easy it is to profile/”follow” an individual user due to uniqueness of each OS-browser’s useragent (UA) strings, but that’s another story for another exercise, another day…

Here’re some of the more interesting UA strings and analyses. And these were harvested only over a span of 7 days!

BlackBerry9530/5.0.0.732 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/105

SonyEricssonC905/R1FA Browser/NetFront/3.4 Profile/MIDP-2.1 Configuration/CLDC-1.1 JavaPlatform/JP-8.4.3

T-Mobile Dash Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 320×240;) MSNBOT-MOBILE/1.1 (+http://search.msn.com/msnbot.htm)

Love it when I see mobile browsers’ UA strings, wonder how much further could I dig into them in the future…

Flight Deck Bot 1.3 beta (http://www.flightdeckreports.com/bot)

Flight Deck’s a game that I recently restarted my tactics experiments with, wonder how exactly did they hit my site? No referrers sent with the requests, but I suspect they came via Twitter.  Or was it even the same Flight Deck site?  Too lazy to dig further for now 😛

Mozilla/4.0 (PSP (PlayStation Portable); 2.00)

PSP…?

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; sbcydsl 3.12; YComp 5.0.0.0; YPC 3.2.0; FunWebProducts; .NET CLR 1.1.4322; ZangoToolbar 4.8.2; yplus 5.1.04b)

Interesting to see how many people have installed adware/spyware like FunWebProducts. There’re other examples in my logs too of such malware that modify the UA string, which makes it possible to do detection and statistics in perimeter devices like IDSes…

Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_2 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7D11

Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7E18

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Mobile/8A306

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7

Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16

Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; nl-nl) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16

iPhones/iPods/iWhatNot. OS AND browser versions all revealed! Now, how about some “automatic” “jailbreaking“? Heh heh heh…not!

SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)

Googlebot using SAMSUNG phones?! Either Google has some wicked architecture to incorporate mobile phones as crawlers, or that this is a very confused bot 😉

Wget/1.12 (linux-gnu)

Wget/1.9+cvs-stable (Red Hat modified)

curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3

When you see your site being accessed by programs like wget and curl, and it’s not Amazon’s AWS (use Splunk’s lookup dnslookup clientip to find out the clienthost name), it’s a very safe bet that they’re zombies/compromised user computers as part of a botnet. The clienthost names and many different IP addresses would confirm that they’re zombies.

Well, that’s all for today folks! Feel free to comment/discuss below 🙂

Advertisements

2 thoughts on “Splunking User Agent strings”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s