Re: found this in my /var/log/apache/access.log

To: "Konstantin Filtschew" <mailoperator@uni.de>
Cc: debian-security@lists.debian.org
Subject: Re: found this in my /var/log/apache/access.log
From: Andrés Roldán <aroldan@fluidsignal.com>
Date: Sun, 04 May 2003 09:59:01 -0500
Message-id: <7dy91mvjuy.fsf@void.central.fluidsignal.com>
In-reply-to: <001901c31248$b101b410$0100a8c0@fallenangel> (Konstantin Filtschew's message of "Sun, 4 May 2003 16:23:10 +0200")
References: <001901c31248$b101b410$0100a8c0@fallenangel>

It's a trojan virus that tries to find any IIS vulnerable using random IP.
This is itself not a dangerous attack (of course, if you have a IIS around, it 
is), indeed it is not intended to be for you.

"Konstantin Filtschew" <mailoperator@uni.de> writes:

> hi,
>
> found this in my /var/log/apache/access.log, what does that mean:
>
> 217.37.212.241 - - [04/May/2003:15:17:22 +0200] "GET
> /default.ida?XXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u
> 9090
> %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b
> 00%u
> 531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"
> 217.128.213.22 - - [04/May/2003:14:50:16 +0200] "GET
> /default.ida?XXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u
> 9090
> %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b
> 00%u
> 531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"
> 217.218.66.141 - - [04/May/2003:13:39:56 +0200] "GET
> /default.ida?XXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u
> 9090
> %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b
> 00%u
> 531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 277 "-" "-"
> 212.65.17.26 - - [04/May/2003:06:30:32 +0200] "GET
> /.hash=680d6f5c4d584f6b5d941a
> f136938db3751a840b HTTP/1.1" 404 324 "-" "-"
> 212.65.17.26 - - [04/May/2003:06:30:32 +0200] "GET
> /.hash=e175a0da67b1fefbb5acd8
> cdc7ccc516ede015d1 HTTP/1.1" 404 324 "-" "-"
> 212.65.17.26 - - [04/May/2003:06:30:32 +0200] "GET
> /.hash=8c10ba0aae81edb7ae51eb
> 156b2fcb770b66864a HTTP/1.1" 404 324 "-" "-"
>
>
>
> thx for help
>
> Konstantin Filtschew
>
>
>
>
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

-- 
Andres Roldan, CSO
Fluidsignal Group

Reply to:

Follow-Ups:
- Re: found this in my /var/log/apache/access.log <<thx for help>>
  - From: "Konstantin Filtschew" <mailoperator@uni.de>

References:
- found this in my /var/log/apache/access.log
  - From: "Konstantin Filtschew" <mailoperator@uni.de>

Prev by Date: Re: found this in my /var/log/apache/access.log
Next by Date: Re: found this in my /var/log/apache/access.log
Previous by thread: Re: found this in my /var/log/apache/access.log
Next by thread: Re: found this in my /var/log/apache/access.log <<thx for help>>
Index(es):
- Date
- Thread