Well, that depends. Some of the IP's from the logs are webservers, some
are not. or have been :)) NT boxes that died
So, it's probably a code red infected machine, trying to reach others to
infect. I tried telnetting to port 80 to see some activity. With some
I've got no respons, which can mean box died, or webserver is on another
port.
grt Wouter
[On 02 Aug, 2001, Dennis Stampfer wrote in " Re: apache log entry "]
> Hi,
>
> This mail won't help you. Its a question from me:
>
> I read that 'Code Red' can infect only Windows ISS Server. Is this in
> your log file a attack from another ISS Server which is thinking yours
> is another ISS Server and trys to infect you?
>
> thanks,
> Dennis
>
>
> On Thu, Aug 02, 2001 at 08:27:13AM +0200, Wouter van Gils wrote:
> > Hi, today I came say a lot of these:
> >
> > tnt-7-28.easynet.co.uk - - [01/Aug/2001:21:59:02 +0200] "GET
> > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >
>NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u780
> >
>1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u00
> > 00%u00=a HTTP/1.0" 404 205
> >
> >
> > is my apache logs from several ip's. Anyone have an idea of what they are. I've
>got about
> > 20 of them. Is this 'Code Red' stuff ?
>
> --
> [EMAIL PROTECTED]
> http://www.dstampfer.de
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wouter van Gils -=- [EMAIL PROTECTED]
http://the-construct.cx/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
