I may be wrong, but it looks similar to the recent openssl worm. The following is from the Symantec web site.
When performing the scanning, the worm first connects to port 80 of a target machine, to determine if it can communicate to that port. It then sends the following request: GET / HTTP/1.1\r\n\r\n Since this is an invalid HTTP 1.1 request, it is missing the "Host:" parameter, a typical Apache server will respond with something similar to the following: HTTP/1.1 400 Bad Request Date: Fri, 13 Sep 2002 10:24:13 GMT Server: Apache/1.3.22 (Unix) (Red-Hat/Linux) Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 Regards, � Wil McGilvery Manager, Digital Media � Lynch Technologies Inc. 416-744-7191 1-888-622-3729 416-744-0406� FAX www.lynchdigital.com -----Original Message----- From: Kevin O'Gorman [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 03, 2002 1:27 PM To: Linux Users list Subject: Re: apache access log entry I'm not a real expert, but nobody else has answered in a few hours, so here's my take on it. It seems somebody tried for your site's main page ("GET /") and was refused access (400 - bad request). I do not know what to make of the "-" "-". ++ kevin On Thu, 3 Oct 2002, Ken Moffat wrote: > Anyone know what this line might mean in apache access.log? > > xxx.xxx.xxx.xx - - [02/Oct/2002:22:25:04 -0700] "GET / HTTP/1.1" 400 385 > "-" "-" > > (Sorry about the wrap. The x's were an ip address) > _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users _______________________________________________ Linux-users mailing list [EMAIL PROTECTED] Unsubscribe/Suspend/Etc -> http://www.linux-sxs.org/mailman/listinfo/linux-users
