papepo55
09-10-2002, 06:33 PM
Several people access my site and IP address are all different area.
But the accesslog shows the same as below.
What does that mean? Does anyone explain what they are doing?
IPaddress - - [10/Sep/2002:03:24:54 -0700] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%HTTP/1.0" 400 320 "-" "-"
-----------------------------------
Edited to prevent access.
That's an attempt for an exploit in Microsoft IIS.
2host.com
09-10-2002, 07:12 PM
Originally posted by papepo55
Several people access my site and IP address are all different area.
But the accesslog shows the same as below.
What does that mean? Does anyone explain what they are doing?
IPaddress - - [10/Sep/2002:03:24:54 -0700] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 320 "-" "-"
As explained above, it's an exploit. There's a lot of people out there that set up Windows servers because they are "easy" for a lot of people. IIS had an exploit, so someone wrote a worm to scan Windows systems to exploit this, infect the system it exploits and that system then also goes looking. It's not a very smart worm, because it doesn't even try and check to see if it's a system running IIS. The point is, it's not any 'person' or 'people' trying to exploit your system/site, it's just a worm with no mind of it's own trying to hit every IP in the world to propagate.
Anyway, too many people that had no clue were running these and still are, so there's a large number of Windows servers still infected with and running this worm that don't even know it. Get used to things like this, because this, like the Klez virus, will continue for a long time to come. If you're running Windows, be sure to keep things updated and patched. If you're not, don't worry about this particular worm. Of course, you need to keep any OS updated or patched, but not like you do for a system with IIS.
