is this a recon, or just some browser weirdness?

[Kirby Angell <kangell () alertra com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My web logfile has these strange entries coming from the same IP
address, all relatively close together, but not so close that it looks
automated:

GET /spotcheckframe.php?device_id=557202&cnt=8
HEAD /spotcheck.php
GET /spotcheck.php_files/header_top.jpeg
GET /
POST /login.php
GET /index.html
GET /reportspec.php
GET /reportspec.php_files/header_top.jpeg
GET /viewdevices.php
GET /viewdevices.php_files/header_top.jpeg

This is the browser ID:

"Mozilla/5.0 (Windows; U; Windows NT 5.1; ru-RU; rv:1.7) Gecko/20040803
Firefox/0.9.3"

Things I don't get:

1) Why the "HEAD" request for the page you just got the full version of
(a page that they requested several times before)?
2) Why request "/" and then "/index.html"?  They would have had to
manually type "/index.html", there isn't a link to it on our site I
don't think.
3) What is with the mangled file names right after the correct name is
requested (e.g. "reportspec.php" followed by
"reportspec.php_files/header_top.jpeg")?
4) Where did "header_top.jpeg" come from anyway, the file on our server
is ".jpg", not ".jpeg"?
5) What is the "ru-RU" add-in for FireFox?

If anyone can shed some light on this I would appreciate it.

- --
Thank you,

Kirby Angell
Get notified anytime your website goes down!
http://www.alertra.com
key: 9004F4C0
fingerprint: DD7E E88D 7F50 2A1E 229D  836A DB5B A751 9004 F4C0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBnAlG21unUZAE9MARAtEuAJ9YbtjrZzBshKUPHm7MUKoDn5a50ACfV2A3
Lpuvd/tC+EGgyRDclJ6OIus=
=f/tA
-----END PGP SIGNATURE-----