1

Has anyone noticed Internet Explorer useragents changing in their access logs?

- - 12.345.6.789 - - [24/Feb/2012:15:59:59 -0800] "GET HTTP/1.1" 200 4759 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; InfoPath.2; AskTbMP3R7/5.14.1.20007)"

- - 12.345.6.789 - - [24/Feb/2012:16:00:01 -0800] "GET HTTP/1.1" 200 4040 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

Obviously I stripped down the log to just show the useragents. Just noticed this happening on our sites. Same user, same sessions, etc... Any thoughts?

Edit: We are using Amazon EC2. This has been found across three of our production servers that are behind a load balancer using a simple round robin - we have sticky sessions enabled. I should have left the pages being requested. The initial request is for the index page, the subsequent requests are for the assets. All other subsequent requests remain ( in this case ) IE 9.

I tried to replicate this with ie and compatibility mode, but my user agent stays on the version of ie I select from the developer tool.

Any chance this could be caused by the configuration? I've only found this with IE user agents but it could be others?

kmfk
  • 161
  • 1
  • 6

1 Answers1

0

My knee-jerk reaction to that is "bot!"; requests from two different browsers two seconds apart usually shows either very strange user behavior ("I'm gonna load up the site on two different computers with different IE versions, then load both at the same time!"), or an automated request of some kind.

It's pretty common for bots to spoof user-agents of real browsers - do you have any indication that this is an actual human making these requests? It's highly unlikely for a real user's browser to change agents between requests, but keep in mind that there's potentially a number of nodes behind that address due to NAT; if it's a human, then perhaps it's two different users at the same company hitting the site 2 seconds apart?

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Shane - yeah, that was an initial thought. This is somewhat common however. We looked through the IPs and they seem very organic, nothing out of the ordinary. Going to up the question with more info. – kmfk Feb 25 '12 at 18:44