On Thu, Oct 15, 2015 at 8:12 AM, Richard Hipp <[email protected]> wrote:

> The website logs are showing a large number of accesses to
>
>    https://www.fossil-scm.org/skin2/raw/
>
> with the curious property that the Referer: is set to
> "http://0jejhcec65c24dslii.com";.  The accesses are coming from many
> different IP addresses, including several IPv6 addresses.  All of them
> list their User-Agent as being "Mozilla/4.0 (compatible; MSIE 6.0;
> Windows NT 5.1; SV1)".
>
> Yes, you read that correctly - IE6 on WindowsXP.
>
> Is this anything to be concerned about?  Should I block this anomalous
> traffic, or should I just leave them alone?
>

Personally I'd block it if I could, but I doubt it's really IE6 on WinXP.
Sounds like a botnet that is involved in a DDOS and that is just how the
malware identifies itself. It might be older software that was written at a
time when that was the most common UA string so they used it to give and
air of legitimacy to their traffic. Better for their needs than a UA string
of "EvilMalWare(TM)".



>
> --
> D. Richard Hipp
> [email protected]
> _______________________________________________
> fossil-users mailing list
> [email protected]
> http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
>



-- 
Scott Robison
_______________________________________________
fossil-users mailing list
[email protected]
http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

Reply via email to