am i being wormed? aaugh!
i get this http request a couple of times every hour via my own
home-grown DBIlog.pm (mod-perl/apache) httpd logger:
at | 2001-07-19 10:19:18-05
client | 216.82.8.136
method | GET
server | www.serensoft.com
url |
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3
[and that's truncated!]
who |
referer | ?
browser | ?
status | 404
bytes | 1686
wall | 1
cpuuser | 0
cpusys | 0
cpucuser | 0.47
cpucsys | 0.02
> select at,client from hits where url like '%NNNNNNNN%';
at | client
------------------------+-----------------
2001-07-19 10:19:18-05 | 216.82.8.136
2001-07-19 11:08:14-05 | 206.135.192.133
2001-07-19 12:02:27-05 | 202.142.100.64
2001-07-19 12:10:14-05 | 203.231.125.121
2001-07-19 12:13:29-05 | 169.237.108.208
2001-07-19 13:26:02-05 | 203.193.49.130
2001-07-19 13:50:50-05 | 158.103.185.221
2001-07-19 14:03:21-05 | 213.201.12.36
2001-07-19 14:14:51-05 | 211.254.187.41
2001-07-19 15:19:28-05 | 24.166.65.184
2001-07-19 15:42:57-05 | 202.232.40.70
2001-07-19 15:50:15-05 | 216.76.214.121
2001-07-19 16:01:38-05 | 209.222.212.42
2001-07-19 16:45:44-05 | 194.125.139.18
2001-07-19 16:47:23-05 | 141.154.114.178
2001-07-19 17:09:30-05 | 216.32.193.157
2001-07-19 17:27:37-05 | 65.193.43.221
2001-07-19 17:52:35-05 | 195.221.249.5
2001-08-01 08:40:31-05 | 211.21.58.10
2001-08-01 10:01:30-05 | 208.178.183.141
2001-08-01 11:31:49-05 | 66.68.109.22
2001-08-01 12:31:11-05 | 66.43.172.146
2001-08-01 12:44:27-05 | 209.104.64.140
2001-08-01 13:16:47-05 | 64.120.74.50
2001-08-02 03:46:11-05 | 203.49.23.2
2001-08-02 04:35:34-05 | 210.109.151.207
2001-08-02 05:23:56-05 | 210.164.65.122
2001-08-02 07:08:54-05 | 61.155.127.195
2001-08-02 07:14:42-05 | 134.28.70.208
2001-08-02 07:24:48-05 | 207.31.238.50
2001-08-02 07:47:30-05 | 211.135.200.187
2001-08-02 08:28:11-05 | 63.225.201.1
2001-08-02 09:33:17-05 | 210.83.155.248
2001-08-02 09:52:20-05 | 212.217.71.165
2001-08-02 12:16:00-05 | 61.144.182.73
2001-08-02 12:25:21-05 | 211.172.180.195
2001-08-02 13:06:59-05 | 209.210.64.76
2001-08-02 14:35:14-05 | 203.232.107.127
2001-08-02 16:37:43-05 | 24.9.187.96
2001-08-02 19:06:12-05 | 217.96.22.20
2001-08-02 20:12:17-05 | 148.208.155.14
2001-08-02 21:05:09-05 | 24.147.112.62
2001-08-02 23:11:56-05 | 211.47.137.110
2001-08-02 23:27:56-05 | 61.141.218.15
2001-08-03 00:10:09-05 | 217.109.194.178
2001-08-03 00:31:03-05 | 200.11.199.228
2001-08-03 00:38:22-05 | 207.86.78.211
2001-08-03 01:46:33-05 | 213.120.117.180
2001-08-03 03:31:45-05 | 203.251.198.98
2001-08-03 03:34:30-05 | 24.182.254.161
2001-08-03 03:51:04-05 | 209.15.189.33
2001-08-03 04:53:51-05 | 209.235.17.88
2001-08-03 05:41:50-05 | 212.150.116.13
2001-08-03 06:13:29-05 | 128.103.187.106
2001-08-03 07:11:39-05 | 24.229.76.131
2001-08-03 08:04:41-05 | 24.3.237.233
2001-08-03 08:07:00-05 | 210.148.224.4
2001-08-03 08:52:11-05 | 211.18.254.226
2001-08-03 10:08:10-05 | 211.75.138.244
2001-08-03 11:04:40-05 | 198.174.90.131
2001-08-03 12:31:41-05 | 211.189.140.229
2001-08-03 12:38:40-05 | 24.7.114.249
(62 rows)
worse, when i turned on normal text-format logging, i saw this:
www.worm.com Accept: */* 64.130.248.101 - - [03/Aug/2001:16:11:29 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 1622 "-" "-"
www.worm.com Accept: */* 194.78.202.75 - - [03/Aug/2001:16:12:38 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 1622 "-" "-"
this is with a custom log format of
LogFormat "%{Host}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" virtual
so i'm getting "Host: www.worm.com" as an incoming header (which,
trust me, is NOT a domain pointing to my server).
comments? can i panic now?
--
DEBIAN NEWBIE TIP #57 from Steve Kowalik <stevenk@hasnolife.com>
:
Wondering HOW TO SET YOUR TIME ZONE? Your system clock may be
showing UTC or GMT but you want it to display PDT (or whatever).
Just run "tzconfig" as root. (You're sure to have it on your
debian system already -- it's provided in package "libc6".)
Also see http://newbieDoc.sourceForge.net/ ...
Reply to: