If you are going to fake a user agent, do it right 🙂 Seeing some web scanners faking all possible browsers out there in one single request:
- Firefox/3.6
- Chrome/9
- Firefox/3.0
- Opera/9.99?
- Safari
- and more..
This is the actual log (searching for vulnerable oscommerce files):
66.147.240.166 – – [24/May/2012:13:50:50 +0000] “GET /admin/file_manager.php/login.php HTTP/1.1” 404 9152 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko/20100228 K-Meleon/1.5.4\”,\”Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML,like Gecko) Chrome/9.1.0.0 Safari/540.0\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Comodo_Dragon/4.1.1.11 Chrome/4.1.249.1042 Safari/532.5\”,\”Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/2.5.6\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8pre) Gecko/20070928 Firefox/2.0.0.7 Navigator/9.0RC1\”,\”Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-HK) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5\”,\”Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112\”,\”Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR
I wonder if it is a bug in their scanners or they did on purpose to bypass user agent restrictions.