[thelist] Weird Log Entries

Ben Dyer ben_dyer at imaginuity.com
Thu Aug 2 16:39:32 CDT 2001


That's Code Red.

http://www.cert.org/archive/html/coderedannounce.html (Among others)

The biggest hype and peter-out since Y2K.

If you're all patched up (or not on Win2K) you're fine.

--Ben

At 04:25 PM 8/2/2001, you wrote:
>Looking through my server logs tonight, I found dozens of things like this:
>
>211.63.195.234 - - [01/Aug/2001:17:06:53 -0500] "GET
>/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
>u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>HTTP/1.0" 404 858 "-" "-"
>
>[all on one line in the original, of course]
>
>Each time it comes from a different IP; sometimes the domain names are
>shown (e.g. caipsnt.hallym-c.ac.kr), so I can see that they come from all
>over the world. No one is clicking on a link for this, otherwise surely the
>referring URL would show up, as it does in other log entries where a link
>was clicked. The long nonsense string is always exactly the same. Is it
>Unicode? How does one translate this?
>
>This happened about a month ago for two days, then stopped. Now here it is
>again.
>
>Does anyone have any idea what might be going on?

<!-----------------------
Ben Dyer
Senior Internet Developer
Imaginuity Interactive
http://www.imaginuity.com
//---------------------->






More information about the thelist mailing list