Hi,
I think that it's either Code Red or Nimda. Should be harmless. It
only hurts servers running IIS or Cisco 675/678 DSL routers that haven't
been patched.
Bill
On Sun, 9 Jun 2002, Gregory Nowak wrote:
> Hi all,
>
> I've noticed a small number of entries like the one below in my /var/log/apache/access_log file. In the below sample, "x.x.x.x" represents the ip address.
>
>
> x.x.x.x - - [09/Jun/2002:18:54:52 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 334
>
>
> Is someone or actually a group of people trying to compromise my web server? Is it possible to tell from the above log entry how they are trying to compromise apache? Thanks.
> Greg
>
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
