Not sure if this should go in software or tech support or what. So it's going here where all the other geeks congregate.
Over the past few days, in our web error log, we've seen about 350 errors. They are all from the same user, same ip address, visiting the same page on our site. The URL is correct, but the query string is missing a few parameters, which is causing the error to occur. The user is also generating unique sessions for each error, sometimes 2-3 per second.
On digging further, there are two different browser identification strings being sent. The mass errors coming from: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" but the seemingly legitimate ones (the user clicking log off button and at seemingly normal usage patterns) being "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; FunWebProducts)".
So it seems to me that she likely has a virus. Kind of scary considering that this is a secured site so it must have recorded her username and password in order to do this.
Anyone seen this? Any virus info? I did a bit of searching but can't seem to find any info. We are advising the user's tech staff to check for viruses, but somehow I suspect that they have update to date virus signatures and auto protect on (most of our users do - this is a somewhat controlled user base).
If this is a DOS attack, it's pretty weak. It's not hitting the site anywhere near enough to cause noticeable slowdown, and we have 3 servers in our cluster.
Edit: We did talk to the user who said she is getting no errors and things are occasionally slow but not much beyond that (slowness is normal and expected due to high database load during peak hours, though).
Over the past few days, in our web error log, we've seen about 350 errors. They are all from the same user, same ip address, visiting the same page on our site. The URL is correct, but the query string is missing a few parameters, which is causing the error to occur. The user is also generating unique sessions for each error, sometimes 2-3 per second.
On digging further, there are two different browser identification strings being sent. The mass errors coming from: "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" but the seemingly legitimate ones (the user clicking log off button and at seemingly normal usage patterns) being "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; FunWebProducts)".
So it seems to me that she likely has a virus. Kind of scary considering that this is a secured site so it must have recorded her username and password in order to do this.
Anyone seen this? Any virus info? I did a bit of searching but can't seem to find any info. We are advising the user's tech staff to check for viruses, but somehow I suspect that they have update to date virus signatures and auto protect on (most of our users do - this is a somewhat controlled user base).
If this is a DOS attack, it's pretty weak. It's not hitting the site anywhere near enough to cause noticeable slowdown, and we have 3 servers in our cluster.
Edit: We did talk to the user who said she is getting no errors and things are occasionally slow but not much beyond that (slowness is normal and expected due to high database load during peak hours, though).
Facebook
Twitter