Hi Guys I keep getting these entries in my log files.
69.28.58.13 - - [22/Jan/2012:07:18:41 +0800] "GET /+args%5bi+1%5d+ HTTP/1.0" 302 555 "http://www.mysite.com/+args%5bi+1%5d+" "HuaweiSymantecSpider/1.0+DSE-support@huaweisymantec.com+(compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR ; http://www.huaweisymantec.com/en/IRL/spider)"
69.28.58.13 - - [22/Jan/2012:07:19:12 +0800] "GET /Includes/+args%5bi+1%5d+ HTTP/1.0" 302 555 "http://www.mysite.com/Includes/+args%5bi+1%5d+" "HuaweiSymantecSpider/1.0+DSE-support@huaweisymantec.com+(compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR ; http://www.huaweisymantec.com/en/IRL/spider)"
69.28.58.14 - - [24/Jan/2012:12:11:17 +0800] "GET /+args%5bi+1%5d+ HTTP/1.0" 302 555 "http://www.mysite.com+args%5bi+1%5d+" "HuaweiSymantecSpider/1.0+DSE-support@huaweisymantec.com+(compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR ; http://www.huaweisymantec.com/en/IRL/spider)"
/home/mysite/public_html/+args[i+1]+,
I have done numerous searches on google but cannot find what they are trying to do. Does anyone know what they are trying to do or what the purpose of
GET /+args%5bi+1%5d+
or
/home/mysite/public_html/+args[i+1]+,
is.
Thanks Allan
I don't think that doesn't do anything just by itself (maybe just test whether a certain file exist on your server). Maybe it was part of a bigger script that did not work. But of course I am not a security expert.
Howdy,
I'm not familiar with what specifically that bot is looking for, but it does appear to be testing for a specific exploit, by passing in parameters to a few different locations.
If you don't want someone (or something) snooping around, you can always run this:
route add -host 69.28.58.13 reject