Strange web vulnerability scanner

[Joao Gouveia <jgouveia () accao net>]

Hello list,


I've got today a series of alerts logged on my IDS regarding multiple
known web servers/applications vulnerabilities.
On a normal situation, I would find that "normal", since it happens on a
regular basis.
The strange thing of this scan, with fixed source I.P., was that, by
analizing packet payload, I noticed that the User-Agent host header user
contained diferent (very diferent ) values for each request. And I do
mean a diferent user-agent for each one.
The first thing that came to mind was that it might just be gateway or
some kind of proxy forwarding the requests. But I would find that rather
dificult because mainly because of two facts:
A - Source port allways increments by one.
B - All requests (96) where made on an interval window of 7 seconds.

My question is simple and related only with curiosity. Does anyone here
knows of a tool that acts like this?

For the curious, the user-agent's sent where all variations of:
Mozilla/3.01
Mozilla/4.0
Mozilla/4.6
Mozilla/4.7
Mozilla/4.72
Mozilla/4.73


Thanks in advance,

Joao Gouveia


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com