Re: Apache log.

From: Benjamin Stocker (bstocker@media-plus.ch)
Date: 08/15/01


Date: Wed, 15 Aug 2001 15:57:16 +0200
From: Benjamin Stocker <bstocker@media-plus.ch>
To: security-discuss@linuxsecurity.com
Subject: Re: Apache log.
Message-ID: <20010815155716.A21582@media-plus.ch>

On Wed, Aug 15, 2001 at 10:50:41AM -0300, Bruno Gimenes Pereti wrote:
> Hello friends,

Hello Bruno,

> Does anyone know what means this strange log in my
> /var/log/httpd/access_log?
> I have a lot of them.
> My system: redhat 7.1, apache 1.3.19-5.
>
> [...]
> 211.47.197.77 - - [12/Aug/2001:05:34:27 -0300] "GET
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%
> u6858%ucbd3%u7801%u9090%u6858%ucbd
> 3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5
> 3ff%u0078%u0000%u00=a HTTP/1.0" 4
> 00 333 "-" "-"

This looks like Code Red I...

> 200.62.135.11 - - [12/Aug/2001:05:37:21 -0300] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%
> u6858%ucbd3%u7801%u9090%u6858%ucbd
> 3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5
> 3ff%u0078%u0000%u00=a HTTP/1.0" 4
> 04 265 "-" "-"
> [...]

...and this like Code Red II/III!

I also have dozens of such attempts in my logfiles.

Cheers, Benjamin
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.