Fired up Splunk to do a quick search over the past 7 days:

index=myblogindex | dedup useragent | fields useragent | sort useragent | format

The resulting string can be easily copied and massaged further in a text editor (replacing the "in between" strings like " ) OR ( useragent=" with \n)

I'm pretty interested still (as always) to see how easy it is to profile/"follow" an individual user due to uniqueness of each OS-browser's useragent (UA) strings, but that's another story for another exercise, another day...

Here're some of the more interesting UA strings and analyses. And these were harvested only over a span of 7 days!

BlackBerry9530/5.0.0.732 Profile/MIDP-2.1 Configuration/CLDC-1.1 VendorID/105

SonyEricssonC905/R1FA Browser/NetFront/3.4 Profile/MIDP-2.1 Configuration/CLDC-1.1 JavaPlatform/JP-8.4.3

T-Mobile Dash Mozilla/4.0 (compatible; MSIE 4.01; Windows CE; Smartphone; 320x240;) MSNBOT-MOBILE/1.1 (+http://search.msn.com/msnbot.htm)

Love it when I see mobile browsers' UA strings, wonder how much further could I dig into them in the future...

Flight Deck Bot 1.3 beta (http://www.flightdeckreports.com/bot)

Flight Deck's a game that I recently restarted my tactics experiments with, wonder how exactly did they hit my site? No referrers sent with the requests, but I suspect they came via Twitter.  Or was it even the same Flight Deck site?  Too lazy to dig further for now

Mozilla/4.0 (PSP (PlayStation Portable); 2.00)

PSP...?

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; sbcydsl 3.12; YComp 5.0.0.0; YPC 3.2.0; FunWebProducts; .NET CLR 1.1.4322; ZangoToolbar 4.8.2; yplus 5.1.04b)

Interesting to see how many people have installed adware/spyware like FunWebProducts. There're other examples in my logs too of such malware that modify the UA string, which makes it possible to do detection and statistics in perimeter devices like IDSes...

Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_2 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7D11

Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Mobile/7E18

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Mobile/8A306

Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0_1 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A306 Safari/6531.22.7

Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16

Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; nl-nl) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16

iPhones/iPods/iWhatNot. OS AND browser versions all revealed! Now, how about some "automatic" "jailbreaking"? Heh heh heh...not!

SAMSUNG-SGH-E250/1.0 Profile/MIDP-2.0 Configuration/CLDC-1.1 UP.Browser/6.2.3.3.c.1.101 (GUI) MMP/2.0 (compatible; Googlebot-Mobile/2.1; +http://www.google.com/bot.html)

Googlebot using SAMSUNG phones?! Either Google has some wicked architecture to incorporate mobile phones as crawlers, or that this is a very confused bot

Wget/1.12 (linux-gnu)

Wget/1.9+cvs-stable (Red Hat modified)

curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3

curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3

When you see your site being accessed by programs like wget and curl, and it's not Amazon's AWS (use Splunk's lookup dnslookup clientip to find out the clienthost name), it's a very safe bet that they're zombies/compromised user computers as part of a botnet. The clienthost names and many different IP addresses would confirm that they're zombies.

Well, that's all for today folks! Feel free to comment/discuss below

For now, I have a new SMS ringtone...

Here's the link to the file: original_wilhelm_scream_raw

Today's feature: the list of user IDs that has been used to attempt brute forcing on ssh till date! *drum roll*

From the looks of this list, some of these people/botnet operators think I'm German/Spanish/Japanese.  Really weird, or these botnets are just whacking away without using the correct wordlist.

00089 0123456789 a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa Aadolf Aaliyah Aamu Aapeli aaron Aaron aarti abby abcs abel admin administrator adolfo agata alberto alexandre alexis alias amministratore ana andrew angel anthony anti art arthur backuppc bang bb benjie bind bob bond brian caja cameron candie candy carey cargan carina carissa carl carla carlo carrie cgarcia cgi-bin cis42 cisco clement conter coo cristi cristian cristina cristinel cs cvsroot da damian dasusr1 dati dave db2fenc1 db2inst1 desiree director djeli dk dke dl dle dm dmaac dme dmitra documenti domin Doo doris dragon droguri ebony ecampaig echo ed enzo fax fedora felipe fido finance foc francois ftp ftpuser gary ghost goncalo grant gt05 guest haiduc haitac hammer happiness hugo iasiasur ibiza information informix ionita ipbx jay jd jean joan johan joomla joseluis julius julius123 jun jurca kato kidskhan li71-183 li71-183.members.linode library lord ls lschmidt lscsymbiosis lsnoxell lucas lucia m magnos marian mark marketing marta mathis medina mercedes miguel mike miranda mireya mlmb monica montrelle myky mythtv nagios nana natalia natasha nathan nelson nicoara nlopez no nrg nu office offsite operatore oracle owen pamela pgsl plcmspip PlcmSpIp porno pos post postgres power powered prchal prueba pubblico public q1 r00t raimundo ram reboot recepcion recruit rene ricardo roby rocio Root root123 roto ruut sales samba sami scan se sebastian services sims sims2 sistema skbae skin skipe skype skywalker slayer spam sshadmin sshdu sss staff stan std015 stephanie stone stud student student1 sue swadok sybille teamspeak TeamSpeak teapa tech ted telegest temp test test1 theo thomas thx1138 tom tomcat tony trash ts tss upload user user1 utente ven vh vic vicky victor violet vn volume vova webadmin wen william WinD3str0y work xwang xwp yamazaki yes zoro

For your info the Konami code works in Google Reader and Facebook too!