Bombarded with hundreds of probably automated page refreshes every few hours

Posted on

Bombarded with hundreds of probably automated page refreshes every few hours – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about windows, web-server, internet-explorer, useragent, .

It seems like some Internet Explorer users are sending my web server hundreds of requests per minute (for a few minutes) to refresh the page with a user-agent like this:

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)

This is happening every few hours with a different user and IP. I noticed that all users that send this kind of request are have Media Center PC MSIE in their user agent. It is definitely not an attack because different signed-in users from different places are doing this. And it is not a public web-app. I have rate-limited per IP and it is not causing a problem at the moment, but I would like to prevent this from happening because it could cause problems if many users do this concurrently.

UPDATE

Every time the requests come from one valid IP of a user. I know who the user is each time. About 5-10 requests per second. For a few minutes. All requests are GET, the same URL is repeatedly fetched.

Here is my log of it happening for 2 minutes by one of the users after applying per-IP rate-limit:

xxx.xxx.21.130 - - [06/Jun/2015:13:35:31] "GET /login              HTTP/1.1" 200 5966  "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:37] "POST /login             HTTP/1.1" 302 109   "http://the.server.ip.address/login" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:37] "GET /                   HTTP/1.1" 200 10594 "http://the.server.ip.address/login" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:39] "GET /url0/info.json     HTTP/1.1" 200 7366  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:39] "GET /url1/info.json     HTTP/1.1" 200 54    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:40] "GET /homepage.json      HTTP/1.1" 200 26819 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:41] "GET /homepage.json      HTTP/1.1" 200 26819 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:41] "GET /url0.json          HTTP/1.1" 200 91    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:53] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:53] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:53] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:53] "GET /                   HTTP/1.1" 304 0     "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:54] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:54] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:54] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:54] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:55] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:55] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:59] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:59] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:59] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:36:59] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:00] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:07] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:07] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:08] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:08] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:08] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:16] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:16] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:17] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:17] "GET /url3.json          HTTP/1.1" 200 10255 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:24] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:24] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:24] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:25] "GET /url3.json          HTTP/1.1" 200 10255 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:25] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:33] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:33] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:34] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:34] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:34] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:44] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:45] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:45] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:45] "GET /url1.json          HTTP/1.1" 200 1025  "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:45] "GET /url4.json          HTTP/1.1" 200 41    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:55] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:55] "GET /url4.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:55] "GET /url3.json          HTTP/1.1" 200 10255 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:56] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:56] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:56] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:56] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:57] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:57] "GET /url4.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:37:57] "GET /url3.json          HTTP/1.1" 200 10255 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:06] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:06] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:06] "GET /url4.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:06] "GET /url3.json          HTTP/1.1" 200 10255 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:06] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:16] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:16] "GET /url4.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:16] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:17] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:17] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:17] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:17] "GET /url4.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:18] "GET /url3.json          HTTP/1.1" 200 10255 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:18] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:18] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:18] "GET /url4.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:19] "GET /url3.json          HTTP/1.1" 200 10255 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:25] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:25] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:26] "GET /url4.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:26] "GET /url3.json          HTTP/1.1" 200 10255 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:26] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:41] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:41] "GET /url4.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:41] "GET /url3.json          HTTP/1.1" 200 10254 "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:42] "GET /url2.json          HTTP/1.1" 200 66    "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"
xxx.xxx.21.130 - - [06/Jun/2015:13:38:42] "GET /url1.json          HTTP/1.1" 304 0     "http://the.server.ip.address/#/homepage" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)" "-"

What is causing this?

UPDATE

Why is this getting downvotes?

Solution :

Windows 7 Media Center (Media Center 6 User Agent String) has a remote code execution vulnerability patched August 2014. The fact your site is being subjected to contiguous/semi contiguous visits by the same type of PC implies BotNETs trolling the web with a fairly narrow criteria including just inventorying particular Web server headers along with attempting to GET particular files (frequently *.php) associated with a vulnerability.

Your not alone in your observations, (another web site operator posted a similar observation in Feb 2015)and chunked a portion of his logs to the posting. It could be worth comparing his excerpt to yours.
lowendtalk.com/discussion/22374/have-you-seen-this-user-agent-string

Media Center, in response to your observation of being oblivious to it, is a failed stand alone / quasi server intended to embed Windows into the home as a jukebox. It went through iterations as “Windows Home Server” nothing more than a veiled Microsoft IIS component that owners described as turtle slow compared the customary instant feedback of TV/Stereo controls along with providing a superb gateway of IIS server vuln’s into the home networks of semi affluent early adopters unaware they purchased a corporate version of Microsoft Server w/o the customary IT patch management.

Media Center, it’s offspring are currently shelved by Microsoft.

I know your request is Windows specific, but this isn’t something unique to Windows. I’ve worked Linux web server administration for nearly a decade now. ‘Odd user agents’ are really common.

Example situation that’s happened: Why does my customer’s website for selling potted plants in rural Indiana suddenly have a huge influx of connections from 30 overseas countries and they are all using a ‘Bing bot’ agent.

A user agent can be spoofed. From a command line, you can literally type in anything you want as your user agent. Example code:

wget -U "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" http://domain.com/wp-admin/

Suddenly I’m now the official Bing Bot hitting that site’s WordPress admin page, which is something no legitimate search engine should be accessing.

You’ll have to look in the logs for the greater picture as to ‘why’ these agents are hitting your server. You’ll have some strange situations like that pop up. What matters is all the other information. Like @AD7six said, what kind of requests were they? What pages were they accessing? How quickly? From what IP block? From what region of the world? Is this expected (did the website owner just get listed on slashdot or something)?

In my example, Bing Bot should certainly not be hitting the WordPress admin area, and certainly not 30 times per hour. Also, the IP keeps routing to various countries, so it’s probably an attack.

Other times, it might not be as obvious. In your case, without more information, it’s hard to say. “Media Center PC” is a legitimate user agent, but you sound suspicious of the connections. You further state:

It is definitely not an attack because different users are doing this

How do you know those are legitimate users as opposed to bots? If you are completely sure these are legitimate users, then you can forget the whole issue and maybe spend a few minutes researching what devices/software employ that user agent.

However, I’d recommend digging through the logs and write some parsing scripts. See if you can identify trends in these connections such as:

  1. How often they are connecting (example: connections per minute)
  2. What countries they connect from
  3. What is the type of request (GET, POST, etc…)
  4. What pages they are accessing. (Are you they hitting a single page, or crawling the whole site like a legitimate user might do)

I hope this information helps and you can use some of it for your investigation.

Edit: I see you updated your question while I typed up this answer. Ok, non-public pages with signed-in users. It could be a vulnerability in your application letting them in or compromised user credentials. If you are seeing more than 1 different user, than the latter is unlikely.

Still digging through the logs to get the bigger picture will still help determine if it’s a vulnerability on your end. I also see user292744’s answer about a known vulnerability. That one sounds like it’s worth investigating.

Leave a Reply

Your email address will not be published.