[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

am i being wormed? aaugh!

i get this http request a couple of times every hour via my own
home-grown DBIlog.pm (mod-perl/apache) httpd logger:

at       | 2001-07-19 10:19:18-05
client   | 216.82.8.136
method   | GET
server   | www.serensoft.com
url      |
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3
	[and that's truncated!]
who      | 
referer  | ?
browser  | ?
status   | 404
bytes    | 1686
wall     | 1
cpuuser  | 0
cpusys   | 0
cpucuser | 0.47
cpucsys  | 0.02

> select at,client from hits where url like '%NNNNNNNN%';
           at           |     client      
------------------------+-----------------
 2001-07-19 10:19:18-05 | 216.82.8.136
 2001-07-19 11:08:14-05 | 206.135.192.133
 2001-07-19 12:02:27-05 | 202.142.100.64
 2001-07-19 12:10:14-05 | 203.231.125.121
 2001-07-19 12:13:29-05 | 169.237.108.208
 2001-07-19 13:26:02-05 | 203.193.49.130
 2001-07-19 13:50:50-05 | 158.103.185.221
 2001-07-19 14:03:21-05 | 213.201.12.36
 2001-07-19 14:14:51-05 | 211.254.187.41
 2001-07-19 15:19:28-05 | 24.166.65.184
 2001-07-19 15:42:57-05 | 202.232.40.70
 2001-07-19 15:50:15-05 | 216.76.214.121
 2001-07-19 16:01:38-05 | 209.222.212.42
 2001-07-19 16:45:44-05 | 194.125.139.18
 2001-07-19 16:47:23-05 | 141.154.114.178
 2001-07-19 17:09:30-05 | 216.32.193.157
 2001-07-19 17:27:37-05 | 65.193.43.221
 2001-07-19 17:52:35-05 | 195.221.249.5
 2001-08-01 08:40:31-05 | 211.21.58.10
 2001-08-01 10:01:30-05 | 208.178.183.141
 2001-08-01 11:31:49-05 | 66.68.109.22
 2001-08-01 12:31:11-05 | 66.43.172.146
 2001-08-01 12:44:27-05 | 209.104.64.140
 2001-08-01 13:16:47-05 | 64.120.74.50
 2001-08-02 03:46:11-05 | 203.49.23.2
 2001-08-02 04:35:34-05 | 210.109.151.207
 2001-08-02 05:23:56-05 | 210.164.65.122
 2001-08-02 07:08:54-05 | 61.155.127.195
 2001-08-02 07:14:42-05 | 134.28.70.208
 2001-08-02 07:24:48-05 | 207.31.238.50
 2001-08-02 07:47:30-05 | 211.135.200.187
 2001-08-02 08:28:11-05 | 63.225.201.1
 2001-08-02 09:33:17-05 | 210.83.155.248
 2001-08-02 09:52:20-05 | 212.217.71.165
 2001-08-02 12:16:00-05 | 61.144.182.73
 2001-08-02 12:25:21-05 | 211.172.180.195
 2001-08-02 13:06:59-05 | 209.210.64.76
 2001-08-02 14:35:14-05 | 203.232.107.127
 2001-08-02 16:37:43-05 | 24.9.187.96
 2001-08-02 19:06:12-05 | 217.96.22.20
 2001-08-02 20:12:17-05 | 148.208.155.14
 2001-08-02 21:05:09-05 | 24.147.112.62
 2001-08-02 23:11:56-05 | 211.47.137.110
 2001-08-02 23:27:56-05 | 61.141.218.15
 2001-08-03 00:10:09-05 | 217.109.194.178
 2001-08-03 00:31:03-05 | 200.11.199.228
 2001-08-03 00:38:22-05 | 207.86.78.211
 2001-08-03 01:46:33-05 | 213.120.117.180
 2001-08-03 03:31:45-05 | 203.251.198.98
 2001-08-03 03:34:30-05 | 24.182.254.161
 2001-08-03 03:51:04-05 | 209.15.189.33
 2001-08-03 04:53:51-05 | 209.235.17.88
 2001-08-03 05:41:50-05 | 212.150.116.13
 2001-08-03 06:13:29-05 | 128.103.187.106
 2001-08-03 07:11:39-05 | 24.229.76.131
 2001-08-03 08:04:41-05 | 24.3.237.233
 2001-08-03 08:07:00-05 | 210.148.224.4
 2001-08-03 08:52:11-05 | 211.18.254.226
 2001-08-03 10:08:10-05 | 211.75.138.244
 2001-08-03 11:04:40-05 | 198.174.90.131
 2001-08-03 12:31:41-05 | 211.189.140.229
 2001-08-03 12:38:40-05 | 24.7.114.249
(62 rows)

worse, when i turned on normal text-format logging, i saw this:
www.worm.com Accept: */* 64.130.248.101 - - [03/Aug/2001:16:11:29 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 1622 "-" "-"
www.worm.com Accept: */* 194.78.202.75 - - [03/Aug/2001:16:12:38 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 1622 "-" "-"

this is with a custom log format of
LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" virtual

so i'm getting "Host: www.worm.com" as an incoming header (which,
trust me, is NOT a domain pointing to my server).

comments? can i panic now?

-- 
DEBIAN NEWBIE TIP #57 from Steve Kowalik <stevenk@hasnolife.com>
:
Wondering HOW TO SET YOUR TIME ZONE? Your system clock may be
showing UTC or GMT but you want it to display PDT (or whatever).
Just run "tzconfig" as root. (You're sure to have it on your
debian system already -- it's provided in package "libc6".)

Also see http://newbieDoc.sourceForge.net/ ...
Reply to: