Jump to content
The Uniform Server Community

Strange entries into access.log


Recommended Posts

Posted

Hi guys,

 

I have no idea if this is the place to ask, so you'll have to forgive me.

I'm hosting my domain with my computer and uniformServer as... server.

 

Today while reading access.log (just pure curiosrity) I observed some really strange entries into the log. If necessary I can post all entries I'm talking about, but for now I will just post a fragment.

I can see in the error.log that the requests are treated either as "File does not exist" or "URI too long". Never the less, is someone trying to atack the server or what?

Here's a fragment:

>> 211.158.113.35 - - [23/Mar/2005:20:02:10 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u

6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u

00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323

 

>> 222.91.35.92 - - [23/Mar/2005:20:10:49 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%

ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%

u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323

 

>>216.251.92.99 - - [23/Mar/2005:20:18:30 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%

u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%

u53ff%u0078%u0000%u00=a HTTP/1.0" 404 1323

 

There are few some are really really long, looking like "x90\x02\xb1\x02\xb1\x".

 

Any ideas? Do you know what deault.ida might be? There is no such file on my server.

Posted

Hmm.. It could be a hacker or a bot. It may also not be it if it is occuring from different IPs. If it is happening from different IPs, then it is not a hacker, but could be a search bot or something like that...

Posted

Except for the file name it rather looks like the Santy-worm that attacks phpBB boards - my guess is that those are hacking attempts, from either an actual hacker or from hacked PCs.

  • 1 month later...
Posted

you should see my server logs... omfg, they're full of crap like that..

 

i dont care so much about those, that's what debian and apache are for. B)

 

but the scumbags who work for the riaa and their web crawlers that disobey or ignore robots.txt, and hammer away at a site as fast as they can.. i have a nifty, slow-loading, little infinite bot trap black hole for them, and the worst ones get filtered at the firewall instead. am looking at a dynamic robots.txt though, i saw a site that has an example in perl, it's pretty sweet.. ahh, here it is.. a little outdated, but it gives me a place to start... http://www.leekillough.com/robots.html

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...