It's CodeRed trying to infect you. Don't worry, yo'ure good to go.
There are three other worms floating around. If you look through the
log and see the same info except with NNNN in there, that's the first
strand of the worm.
There are also two worms going around that try and run a cmd.exe on the
machine, and of course we don't have that on our machines do we?
203.164.3.164 - - [09/Jun/2001:11:51:25 -0400] "GET
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir
HTTP/1.0" 404 332 "-" "-"
That's one of them. We are safe until they decide to try and exploit a
hole in Apache, of which the last hole Apache had they released an
update. I believe that was about 2 or 3 months ago.
It's not 'normal' but you're going to get those for a while now, until
all the world patchs their IIS servers or they all switch to Apache! Or
of somebody creates a worm to fix the worm. Which I know a few people
have rumored to try!
tdh
--
T. Holmes
-----------------
UNIXTECHS.org
[EMAIL PROTECTED]
-----------------
"Real Men Use Vi!"
Uptime:
--------------------------------------------------------------------
3:59pm up 3 days, 2:54, 7 users, load average: 0.00, 0.00, 0.00
--------------------------------------------------------------------
| I have this in my access log for apache, is this normal?
|
| 65.84.202.130 - - [04/Aug/2001:14:41:51 -0400] "GET
|
|/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
|
| HTTP/1.0" 404 306 "-" "-"
|
------------------------------------------------------------------
