On Thu, Oct 15, 2015 at 8:12 AM, Richard Hipp <[email protected]> wrote:
> The website logs are showing a large number of accesses to > > https://www.fossil-scm.org/skin2/raw/ > > with the curious property that the Referer: is set to > "http://0jejhcec65c24dslii.com". The accesses are coming from many > different IP addresses, including several IPv6 addresses. All of them > list their User-Agent as being "Mozilla/4.0 (compatible; MSIE 6.0; > Windows NT 5.1; SV1)". > > Yes, you read that correctly - IE6 on WindowsXP. > > Is this anything to be concerned about? Should I block this anomalous > traffic, or should I just leave them alone? > Personally I'd block it if I could, but I doubt it's really IE6 on WinXP. Sounds like a botnet that is involved in a DDOS and that is just how the malware identifies itself. It might be older software that was written at a time when that was the most common UA string so they used it to give and air of legitimacy to their traffic. Better for their needs than a UA string of "EvilMalWare(TM)". > > -- > D. Richard Hipp > [email protected] > _______________________________________________ > fossil-users mailing list > [email protected] > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users > -- Scott Robison
_______________________________________________ fossil-users mailing list [email protected] http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users

