RE: [PHP] new one is it ??
$headers); if($logt == "file") { fputs($fp,"$host " . date(r) . " - Email sent to $var\n"); } elseif($logt == "syslog") { syslog(LOG_WARNING,"Code red from $host email sent to $var"); } } } elseif(!empty($notabuse)) { while(list($key,$var) = each($notabuse)) { mail($var, $subject, $message, $headers); if($logt == "file") { fputs($fp, "$host " . date(r) . " - Email sent to $var\n"); } elseif($logt == "syslog") { syslog(LOG_WARNING,"Code red from $host email sent to $var"); } } } else { fputs($fp, "$host " . date(r) . " - Email not sent!\n"); } if($logt == "file") { fclose($fp); } elseif($logt == "syslog") { closelog(); } ?> -8<-8<-8<-8<-8<-8< -Original Message- From: David Robley [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 9:00 PM To: Bill Farrell Subject: Re: [PHP] new one is it ?? On Mon, 20 Aug 2001 23:44, [EMAIL PROTECTED] wrote: > Hiya again, Erik: > > Here's the barely-tested but apparently functional Code Red detector. > I added some variables at the top for configuring email destinations. > The important change is that it will query ARIN, RIPE, and APNIC until > it finds a reasonable answer. In the case of ARIN, it's necessary to > query twice to get the email address you REALLY want, due to the number > of Tier II providers in the States. Those don't always show up in the > WHOIS. That caused me to do a bit more looping and fiddling until the > answers came out the way I would expect if I were looking by eye. > > It may be a bit late for Code Red, but the part of the routine that > does the authority-queries is re-usable all over the place. The code > ain't pretty (I'm no PHP maven YET :-) but it appears to do the job. > > Enjoy! > Bill > Bill The mailing list strips attachments - if you include it in a message, point us to it or email it separately to us... Or I could stick it somewhere here where people can get at it. -- David Robley Techno-JoaT, Web Maintainer, Mail List Admin, etc CENTRE FOR INJURY STUDIES Flinders University, SOUTH AUSTRALIA Those who can't write, write help files.
RE: [PHP] new one is it ??
Title: RE: [PHP] new one is it ?? Hiya again, Erik: Here's the barely-tested but apparently functional Code Red detector. I added some variables at the top for configuring email destinations. The important change is that it will query ARIN, RIPE, and APNIC until it finds a reasonable answer. In the case of ARIN, it's necessary to query twice to get the email address you REALLY want, due to the number of Tier II providers in the States. Those don't always show up in the WHOIS. That caused me to do a bit more looping and fiddling until the answers came out the way I would expect if I were looking by eye. It may be a bit late for Code Red, but the part of the routine that does the authority-queries is re-usable all over the place. The code ain't pretty (I'm no PHP maven YET :-) but it appears to do the job. Enjoy! Bill -Original Message- From: Erik H. Mathy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 3:43 PM To: Bill Farrell Subject: RE: [PHP] new one is it ?? No worries. I'm not going to get all worked up when something that's free takes a bit longer than expected! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 2:45 PM To: [EMAIL PROTECTED] Subject: RE: [PHP] new one is it ?? Hey! Just wanted to let ya know that I didn't get time to work on it last night, but have been playing with it through the day. I should finish the thing tonight and test it. I hadn't forgot ya! Regards, B -Original Message- From: Erik H. Mathy [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 1:44 PM To: Bill Farrell Subject: RE: [PHP] new one is it ?? You da man! You da man! Or, in other words, that's awesome and, um, I'll take a copy when you're done. ;) - Erik > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 13, 2001 12:44 PM > To: [EMAIL PROTECTED] > Subject: RE: [PHP] new one is it ?? > > > Way cool... with a bit of work, one could query ARIN, RIPE, and APNIC > until > an answer was received (that's what I'm modifying it to do) else die. > With > the timeout set to "forever", what would we care if it takes a few extra > seconds to go spy-out a potential > (would-be-if-we-were-running-IIS)intruder. > > The author made a really nifty framework and left it pretty easy to > modify. > I already swiped a copy (thanks, Mark!!) and am having a ball adding my > own > "bends" to it. > > Tim, the part that does the WHOIS query is only querying RIPE. I'm > modifying mine to loop through a known set of authorities (right now, > the > three I mentioned above) and to set a flag ($IGotIt or something I can > test > afterward with "if ( $IGotIt ) { yaddayadda }"), and to quit looking > when it > gets a reasonable answer. > > If I get it working before anyone else (doubtful, I'm still a bit slow > with > PHP and I'm also at work), I'd be more than happy to share. > > CY'all, > Bill > > -Original Message- > From: Tim [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 13, 2001 1:16 PM > To: Mark Roedel > Cc: Mark Lo; php general > Subject: RE: [PHP] new one is it ?? > > > That's pretty cool. Alas, the 'whois' part of the code doesn't work > properly (at least on my system). > > - Tim > > On 13 Aug 2001 10:21:45 -0500, Mark Roedel wrote: > > I rather liked this approach that I saw posted in another list: > > > > http://www.klippan.seths.se/default.phps > > > > (Does some hostname/whois lookups on the infected server and attempts > to > > email some people who might be able to do something about it.) > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] new one is it ??
Well, you could send the junk data to micro$oft instead. -Original Message- From: Scott Brown [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 7:52 AM To: 'scott [gts]'; [EMAIL PROTECTED] Subject: RE: [PHP] new one is it ?? Unfortunately, you're punishing the infected person, rather than the instigator of the worm. I've read of people developing perl scriptlets that basically hold the connection open as long as possible by fooling the other side into thinking that it's got a host it's infecting... thereby slowing down the propagation of the worm. The numbers I saw indicated that with version 1 of the worm, and it's 100 threads, holding a connection as long as possible before timing out (which is what, 5 minutes?) slows the propagation of the worm 265,000% But (personally) I dont think it's appropriate to lash back against an infected machine (though a quick "why dont you patch your @#(*)( machines" to the network owner has been known to occur on occasion when I get hit by many many servers within a given netblock). > -Original Message- > From: scott [gts] [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 13, 2001 10:38 AM > To: php > Subject: RE: [PHP] new one is it ?? > > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > what about something like this ? > (just configure apache to have PHP handle *.ida files) > > // this is so our script won't time out > set_time_limit(0); > > // how many bytes of junk to generate > $jsize = 1024 * 10; > // how many times to print $junk > $jout = 1; > > // generate some random junk > $n = 0; > while ($n++ < $jsize) { > $junk .= chr( rand(1,200) ); > } > > $i = 0; > while ( $i++ < $jout ) { > print $junk; > } > > ?> > > > -Original Message- > > From: Tim [mailto:[EMAIL PROTECTED]] > > Subject: Re: [PHP] new one is it ?? > > > > > > Boy that looks familiar...my (apache) logs are full of 'em. > > > > I wonder if we can make a PHP script called default.ida > that sends back > > a big chunk of data and causes the worm to get a buffer > overflow? :) :) > > > > - Tim (glad I don't run IIS :) > > > > On 13 Aug 2001 22:27:06 +0800, Mark Lo wrote: > > > 208.251.146.123 - - [13/Aug/2001:22:24:27 +0800] "GET > > > > /default.ida?N > NN > > > > NN > NN > > > > NN > NN > > > > N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909 > 0%u6858%ucbd3% > > > > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0 > 000%u00=a > > > HTTP/1.0" 400 333 - "-" "-" > > -BEGIN PGP SIGNATURE- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBO3fmM8aXTGgZdrSUEQKRAgCgrGf+r6Fma17L39tEVp8lwanC+FwAoJlz > l7k1s47s8EdDHnM+jLZzDuL2 > =z2GG > -END PGP SIGNATURE- > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: > [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] new one is it ??
Way cool... with a bit of work, one could query ARIN, RIPE, and APNIC until an answer was received (that's what I'm modifying it to do) else die. With the timeout set to "forever", what would we care if it takes a few extra seconds to go spy-out a potential (would-be-if-we-were-running-IIS)intruder. The author made a really nifty framework and left it pretty easy to modify. I already swiped a copy (thanks, Mark!!) and am having a ball adding my own "bends" to it. Tim, the part that does the WHOIS query is only querying RIPE. I'm modifying mine to loop through a known set of authorities (right now, the three I mentioned above) and to set a flag ($IGotIt or something I can test afterward with "if ( $IGotIt ) { yaddayadda }"), and to quit looking when it gets a reasonable answer. If I get it working before anyone else (doubtful, I'm still a bit slow with PHP and I'm also at work), I'd be more than happy to share. CY'all, Bill -Original Message- From: Tim [mailto:[EMAIL PROTECTED]] Sent: Monday, August 13, 2001 1:16 PM To: Mark Roedel Cc: Mark Lo; php general Subject: RE: [PHP] new one is it ?? That's pretty cool. Alas, the 'whois' part of the code doesn't work properly (at least on my system). - Tim On 13 Aug 2001 10:21:45 -0500, Mark Roedel wrote: > I rather liked this approach that I saw posted in another list: > > http://www.klippan.seths.se/default.phps > > (Does some hostname/whois lookups on the infected server and attempts to > email some people who might be able to do something about it.) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] new one is it ??
That's pretty cool. Alas, the 'whois' part of the code doesn't work properly (at least on my system). - Tim On 13 Aug 2001 10:21:45 -0500, Mark Roedel wrote: > I rather liked this approach that I saw posted in another list: > > http://www.klippan.seths.se/default.phps > > (Does some hostname/whois lookups on the infected server and attempts to > email some people who might be able to do something about it.) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] new one is it ??
> -Original Message- > From: Tim [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 13, 2001 9:38 AM > To: Mark Lo > Cc: php general > Subject: Re: [PHP] new one is it ?? > > > Boy that looks familiar...my (apache) logs are full of 'em. > > I wonder if we can make a PHP script called default.ida that > sends back a big chunk of data and causes the worm to get a > buffer overflow? :) :) I rather liked this approach that I saw posted in another list: http://www.klippan.seths.se/default.phps (Does some hostname/whois lookups on the infected server and attempts to email some people who might be able to do something about it.) --- Mark Roedel | "Blessed is he who has learned to laugh Systems Programmer| at himself, for he shall never cease LeTourneau University | to be entertained." Longview, Texas, USA | -- John Powell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] new one is it ??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 you could, of course, throw a few sleep() stmnts in there to get the script to output a few bytes every few seconds and keep the connection active... :-) > -Original Message- > From: Scott Brown [mailto:[EMAIL PROTECTED]] > Subject: RE: [PHP] new one is it ?? > > > Unfortunately, you're punishing the infected person, rather than the > instigator of the worm. > > I've read of people developing perl scriptlets that basically hold the > connection open as long as possible by fooling the other side into thinking > that it's got a host it's infecting... thereby slowing down the propagation > of the worm. The numbers I saw indicated that with version 1 of the worm, > and it's 100 threads, holding a connection as long as possible before timing > out (which is what, 5 minutes?) slows the propagation of the worm 265,000% > > But (personally) I dont think it's appropriate to lash back against an > infected machine (though a quick "why dont you patch your @#(*)( machines" > to the network owner has been known to occur on occasion when I get hit by > many many servers within a given netblock). > > > -Original Message- > > From: scott [gts] [mailto:[EMAIL PROTECTED]] > > Sent: Monday, August 13, 2001 10:38 AM > > To: php > > Subject: RE: [PHP] new one is it ?? > > > > > > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > what about something like this ? > > (just configure apache to have PHP handle *.ida files) > > > > > // this is so our script won't time out > > set_time_limit(0); > > > > // how many bytes of junk to generate > > $jsize = 1024 * 10; > > // how many times to print $junk > > $jout = 1; > > > > // generate some random junk > > $n = 0; > > while ($n++ < $jsize) { > > $junk .= chr( rand(1,200) ); > > } > > > > $i = 0; > > while ( $i++ < $jout ) { > > print $junk; > > } > > > > ?> > > > > > -Original Message- > > > From: Tim [mailto:[EMAIL PROTECTED]] > > > Subject: Re: [PHP] new one is it ?? > > > > > > > > > Boy that looks familiar...my (apache) logs are full of 'em. > > > > > > I wonder if we can make a PHP script called default.ida > > that sends back > > > a big chunk of data and causes the worm to get a buffer > > overflow? :) :) > > > > > > - Tim (glad I don't run IIS :) > > > > > > On 13 Aug 2001 22:27:06 +0800, Mark Lo wrote: > > > > 208.251.146.123 - - [13/Aug/2001:22:24:27 +0800] "GET > > > > > > /default.ida?N > > NN > > > > > > NN > > NN > > > > > > NN > > NN > > > > > > N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909 > > 0%u6858%ucbd3% > > > > > > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0 > > 000%u00=a > > > > HTTP/1.0" 400 333 - "-" "-" > > > > -BEGIN PGP SIGNATURE- > > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > > > iQA/AwUBO3fmM8aXTGgZdrSUEQKRAgCgrGf+r6Fma17L39tEVp8lwanC+FwAoJlz > > l7k1s47s8EdDHnM+jLZzDuL2 > > =z2GG > > -END PGP SIGNATURE- > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > To contact the list administrators, e-mail: > > [EMAIL PROTECTED] > > > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO3foz8aXTGgZdrSUEQITGQCgwxmL0KexmBSj+FBC4uyv6XXhr30AoJie j67nEMhjOm2Jh8w4tLaofCSq =CpO9 -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] new one is it ??
Unfortunately, you're punishing the infected person, rather than the instigator of the worm. I've read of people developing perl scriptlets that basically hold the connection open as long as possible by fooling the other side into thinking that it's got a host it's infecting... thereby slowing down the propagation of the worm. The numbers I saw indicated that with version 1 of the worm, and it's 100 threads, holding a connection as long as possible before timing out (which is what, 5 minutes?) slows the propagation of the worm 265,000% But (personally) I dont think it's appropriate to lash back against an infected machine (though a quick "why dont you patch your @#(*)( machines" to the network owner has been known to occur on occasion when I get hit by many many servers within a given netblock). > -Original Message- > From: scott [gts] [mailto:[EMAIL PROTECTED]] > Sent: Monday, August 13, 2001 10:38 AM > To: php > Subject: RE: [PHP] new one is it ?? > > > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > what about something like this ? > (just configure apache to have PHP handle *.ida files) > > // this is so our script won't time out > set_time_limit(0); > > // how many bytes of junk to generate > $jsize = 1024 * 10; > // how many times to print $junk > $jout = 1; > > // generate some random junk > $n = 0; > while ($n++ < $jsize) { > $junk .= chr( rand(1,200) ); > } > > $i = 0; > while ( $i++ < $jout ) { > print $junk; > } > > ?> > > > -Original Message- > > From: Tim [mailto:[EMAIL PROTECTED]] > > Subject: Re: [PHP] new one is it ?? > > > > > > Boy that looks familiar...my (apache) logs are full of 'em. > > > > I wonder if we can make a PHP script called default.ida > that sends back > > a big chunk of data and causes the worm to get a buffer > overflow? :) :) > > > > - Tim (glad I don't run IIS :) > > > > On 13 Aug 2001 22:27:06 +0800, Mark Lo wrote: > > > 208.251.146.123 - - [13/Aug/2001:22:24:27 +0800] "GET > > > > /default.ida?N > NN > > > > NN > NN > > > > NN > NN > > > > N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u909 > 0%u6858%ucbd3% > > > > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0 > 000%u00=a > > > HTTP/1.0" 400 333 - "-" "-" > > -BEGIN PGP SIGNATURE- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBO3fmM8aXTGgZdrSUEQKRAgCgrGf+r6Fma17L39tEVp8lwanC+FwAoJlz > l7k1s47s8EdDHnM+jLZzDuL2 > =z2GG > -END PGP SIGNATURE- > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: > [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] new one is it ??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 what about something like this ? (just configure apache to have PHP handle *.ida files) > -Original Message- > From: Tim [mailto:[EMAIL PROTECTED]] > Subject: Re: [PHP] new one is it ?? > > > Boy that looks familiar...my (apache) logs are full of 'em. > > I wonder if we can make a PHP script called default.ida that sends back > a big chunk of data and causes the worm to get a buffer overflow? :) :) > > - Tim (glad I don't run IIS :) > > On 13 Aug 2001 22:27:06 +0800, Mark Lo wrote: > > 208.251.146.123 - - [13/Aug/2001:22:24:27 +0800] "GET > > /default.ida?NNN > > > > > > N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a > > HTTP/1.0" 400 333 - "-" "-" -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO3fmM8aXTGgZdrSUEQKRAgCgrGf+r6Fma17L39tEVp8lwanC+FwAoJlz l7k1s47s8EdDHnM+jLZzDuL2 =z2GG -END PGP SIGNATURE- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] new one is it ??
Boy that looks familiar...my (apache) logs are full of 'em. I wonder if we can make a PHP script called default.ida that sends back a big chunk of data and causes the worm to get a buffer overflow? :) :) - Tim (glad I don't run IIS :) On 13 Aug 2001 22:27:06 +0800, Mark Lo wrote: > 208.251.146.123 - - [13/Aug/2001:22:24:27 +0800] "GET > /default.ida?NNN > > > N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a > HTTP/1.0" 400 333 - "-" "-" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] new one is it ??
No, that's the rather old one. That would be CR1. Tyler Longren Captain Jack Communications [EMAIL PROTECTED] www.captainjack.com On Mon, 13 Aug 2001 22:27:06 +0800 "Mark Lo" <[EMAIL PROTECTED]> wrote: > 208.251.146.123 - - [13/Aug/2001:22:24:27 +0800] "GET > /default.ida?NNN > > > N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a > HTTP/1.0" 400 333 - "-" "-" > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] new one is it ??
208.251.146.123 - - [13/Aug/2001:22:24:27 +0800] "GET /default.ida?NNN N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a HTTP/1.0" 400 333 - "-" "-" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]