Well, that depends. Some of the IP's from the logs are webservers, some are not. or have been :)) NT boxes that died
So, it's probably a code red infected machine, trying to reach others to infect. I tried telnetting to port 80 to see some activity. With some I've got no respons, which can mean box died, or webserver is on another port. grt Wouter [On 02 Aug, 2001, Dennis Stampfer wrote in " Re: apache log entry "] > Hi, > > This mail won't help you. Its a question from me: > > I read that 'Code Red' can infect only Windows ISS Server. Is this in > your log file a attack from another ISS Server which is thinking yours > is another ISS Server and trys to infect you? > > thanks, > Dennis > > > On Thu, Aug 02, 2001 at 08:27:13AM +0200, Wouter van Gils wrote: > > Hi, today I came say a lot of these: > > > > tnt-7-28.easynet.co.uk - - [01/Aug/2001:21:59:02 +0200] "GET > > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u780 > > 1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u00 > > 00%u00=a HTTP/1.0" 404 205 > > > > > > is my apache logs from several ip's. Anyone have an idea of what they are. > > I've got about > > 20 of them. Is this 'Code Red' stuff ? > > -- > [EMAIL PROTECTED] > http://www.dstampfer.de -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wouter van Gils -=- [EMAIL PROTECTED] http://the-construct.cx/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
