[Emerging-Sigs] An interesting user agent
Matt Jonkman
jonkman at jonkmans.com
Wed Apr 16 16:46:21 EDT 2008
Sure that's a legit yahoo client? The CRAWDADDY as referrer is
definitely non-standard. :)
Jack Pepper wrote:
> the machine is XP. It looks like yahoo massager is using a "win95"
> user agent?
>
> WTF?
>
> 10:49:53.131379 IP 10.2.2.65.1300 > 216.155.194.210.80: .
> 4126901949:4126903209(1260) ack 2502841366 win 64512
> 0x0000 4500 0514 0a1b 4000 8006 4418 0a02 0241 E..... at ...D....A
> 0x0010 d89b c2d2 0514 0050 f5fb 86bd 952e 5416 .......P......T.
> 0x0020 5010 fc00 8110 0000 504f 5354 202f 6e6f P.......POST./no
> 0x0030 7469 6679 6674 2048 5454 502f 312e 310d tifyft.HTTP/1.1.
> 0x0040 0a52 6566 6572 6572 3a20 4352 4157 4441 .Referer:.CRAWDA
> 0x0050 4444 590d 0a55 7365 722d 4167 656e 743a DDY..User-Agent:
> 0x0060 204d 6f7a 696c 6c61 2f34 2e30 3120 5b65 .Mozilla/4.01.[e
> 0x0070 6e5d 2028 5769 6e39 353b 2049 290d 0a48 n].(Win95;.I)..H
> 0x0080 6f73 743a 2066 696c 6574 7261 6e73 6665 ost:.filetransfe
> 0x0090 722e 6d73 672e 7961 686f 6f2e 636f 6d0d r.msg.yahoo.com.
> 0x00a0 0a43 6f6e 7465 6e74 2d4c 656e 6774 683a .Content-Length:
> 0x00b0 2031 3735 3738 0d0a 4361 6368 652d 436f .17578..Cache-Co
> 0x00c0 6e74 726f 6c3a 206e 6f2d 6361 6368 650d ntrol:.no-cache.
> 0x00d0 0a43 6f6f 6b69 653a 2042 3d62 7276 6f71 .Cookie:.B=brvoq
>
>
> jp
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list