hi all, on sunday our apache logs the thing below: 62.193.140.34 - - [09/Sep/2001:08:08:04 +0200] "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ---cut--- followed by a lot more 'X' and the typical encoded strings. on 13:28 +0200 i get the exactly same 'request' again. 1. there is no GET-request for anything, so apache said '400' aka 'bad request' 2. less 'X' have been used than in an normal attempt. there were only 192 instead of 223, which i think is the 'standard' amount. the site seems to be a kind of search portal for parents and kids and looks like under construction. it's running IIS 5 on w2k according to netcraft. i mailed the admin-c of the net and am awaiting an answer, but nevertheless i thought the list could shed some light on where this thing might come from. a crippled worm? a bored user? spoofing? ...? regards axel fehrs -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 08:38:38 PDT