search

mitchellkrogza / nginx-ultimate-bad-bot-blocker

Nginx Block Bad Bots, Spam Referrer Blocker, Vulnerability Scanners, User-Agents, Malware, Adware, Ransomware, Malicious Sites, with anti-DDOS, Wordpress Theme Detector Blocking and Fail2Ban Jail for Repeat Offenders
Other
3.97k stars 477 forks source link

[User-Agent] Mb2345Browser #364

Closed duzun closed 4 years ago

duzun commented 4 years ago

Paste the full User-Agent String here

Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0

Is this for Addition / Removal?

Did the User-Agent request robots.txt first?

Post Log Excerpt to show User-Agent behavior (10-20 lines is enough)


121.57.167.239 - - [12/Mar/2020:03:56:47 +0300] "GET /3ddesign/WebPlayer.html?cID=10412 HTTP/1.1" 200 2678 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 0.032
117.87.135.106 - - [12/Mar/2020:03:56:58 +0300] "GET /santekhnika/bide/bide_napolnye/bide_napolnoe_jacob_delafon_nouvelle_vague_ebd0002_00.html HTTP/1.1" 301 155 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 0.156
117.87.135.106 - - [12/Mar/2020:03:57:02 +0300] "GET /santekhnika/bide/bide-napolnye/bide-napolnoe-jacob-delafon-nouvelle-vague-ebd0002-00 HTTP/1.1" 200 11650 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 1.812
27.221.134.87 - - [12/Mar/2020:03:58:07 +0300] "GET /oboi/vinil/the-cottage/cbb2261 HTTP/1.1" 200 11068 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 0.956
121.230.226.61 - - [12/Mar/2020:03:58:09 +0300] "GET /ispanskaya_plitka/pamesa/cromat/anglia/blanco_mat_120x120.html HTTP/1.1" 301 128 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 0.180
121.230.226.61 - - [12/Mar/2020:03:58:12 +0300] "GET /ispanskaya-plitka/pamesa/cromat/anglia/blanco-mat-120x120 HTTP/1.1" 200 12132 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 1.292
112.113.153.122 - - [12/Mar/2020:03:58:14 +0300] "GET /rossiyskaya-plitka/vitra/marmori/klassicheskiy-teplyy HTTP/1.1" 200 12253 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 1.652
116.55.140.128 - - [12/Mar/2020:03:58:55 +0300] "GET /rossiyskaya-plitka/italon/x2/everstone/desert-bor-grip HTTP/1.1" 200 12048 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 1.812
171.10.152.136 - - [12/Mar/2020:04:00:40 +0300] "GET /santekhnika/unitazy/unitazy-napolnye HTTP/1.1" 200 33480 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 0.504
175.147.116.200 - - [12/Mar/2020:04:00:51 +0300] "GET /3ddesign/WebPlayer.html?cID=23607 HTTP/1.1" 302 101 "-" "Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/42.0.2311.138 Mobile Safari/537.36 Mb2345Browser/9.0" "-" 0.036

Additional information

We experience some attack/intense crawling of our sites in Russia since 12 February. I've implemented this nginx bad-bot-blocker configuration two days ago and paired with fail2ban, it helped to reduce the attack by a lot!

Yesterday they have changed the behaviour. I see ~1800 IP addresses with this UA in two days of log, almost all of them make 1-2 requests only, and all the verified IPs are from China!

I'm sure this traffic is not coming from legitimate users!

duzun commented 4 years ago

I guess it is worth noting this article: Blocking aggressive Chinese crawlers/scrapers/bots.

After reading the article, I've discovered a few more aggressive UserAgents:

Mozilla/5.0 (Linux; Android 7.0; FRD-AL00 Build/HUAWEIFRD-AL00; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/53.0.2785.49 Mobile MQQBrowser/6.2 TBS/043602 Safari/537.36 MicroMessenger/6.5.16.1120 NetType/WIFI Language/zh_CN

Mozilla/5.0(Linux;Android 5.1.1;OPPO A33 Build/LMY47V;wv) AppleWebKit/537.36(KHTML,link Gecko) Version/4.0 Chrome/43.0.2357.121 Mobile Safari/537.36 LieBaoFast/4.51.3

Same behaviour.

mitchellkrogza commented 4 years ago

Thanks @duzun a quick search shows this is linked with Baidu (2345.com) will check on the others

duzun commented 4 years ago

Thanks @mitchellkrogza for quick reaction and for this repo, its great!

mitchellkrogza commented 4 years ago

Absolute pleasure, thanks for the contribution, I also found thousands of entries in my own logs which made it a quick decision.