In log files

AllanIT · January 26, 2012, 7:25am

Hi Guys
I keep getting these entries in my log files.

69.28.58.13 - - [22/Jan/2012:07:18:41 +0800] “GET /+args%5bi+1%5d+ HTTP/1.0” 302 555 “http://www.mysite.com/+args[i+1]+” “HuaweiSymantecSpider/1.0+DSE-support@huaweisymantec.com+(compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR ; http://www.huaweisymantec.com/en/IRL/spider)”

69.28.58.13 - - [22/Jan/2012:07:19:12 +0800] “GET /Includes/+args%5bi+1%5d+ HTTP/1.0” 302 555 “http://www.mysite.com/Includes/+args[i+1]+” “HuaweiSymantecSpider/1.0+DSE-support@huaweisymantec.com+(compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR ; http://www.huaweisymantec.com/en/IRL/spider)”

69.28.58.14 - - [24/Jan/2012:12:11:17 +0800] “GET /+args%5bi+1%5d+ HTTP/1.0” 302 555 “http://www.mysite.com+args%5bi+1%5d+” “HuaweiSymantecSpider/1.0+DSE-support@huaweisymantec.com+(compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR ; http://www.huaweisymantec.com/en/IRL/spider)”

/home/mysite/public_html/+args[i+1]+,

I have done numerous searches on google but cannot find what they are trying to do. Does anyone know what they are trying to do or what the purpose of

GET /+args%5bi+1%5d+

or

/home/mysite/public_html/+args[i+1]+,

is.

Thanks
Allan

helpmin · January 26, 2012, 11:46am

I don’t think that doesn’t do anything just by itself (maybe just test whether a certain file exist on your server). Maybe it was part of a bigger script that did not work. But of course I am not a security expert.

Eric · January 26, 2012, 2:58pm

Howdy,

I’m not familiar with what specifically that bot is looking for, but it does appear to be testing for a specific exploit, by passing in parameters to a few different locations.

If you don’t want someone (or something) snooping around, you can always run this:

route add -host 69.28.58.13 reject