Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: Mike on July 04, 2003, 06:35:21 AM

Title: Query
Post by: Mike on July 04, 2003, 06:35:21 AM

www.mydomain.com 203.131.122.194 - - [03/Jul/2003:17:01:49 +0800] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 205 "-" "-"

Where 203.131.122.194 is foreign address, i dont know this IP

What this means? Is there some intruder entering my server?

Any suggestion...

Mike

Title: Re: Query
Post by: Andrew Rosenau on July 04, 2003, 07:04:25 AM

A search on  http://www.apnic.net/apnic-bin/whois.pl  shows that the IP is registerd over in the Phillipeans--if its a hacker i dont know but thats the IP owner.

Title: Re: Query
Post by: Cyrus Bharda on July 04, 2003, 07:28:46 AM

Mike,

What log are you getting this in, to me it looks like a simple http get request, but I really am taking a stab in the dark at that, I certainly do not reckognise it so I really do not know what it is, just being speculative.

Cyrus Bharda

Title: Re: Query
Post by: Michael P. Soulier on July 04, 2003, 07:50:12 AM

Mike wrote:
>
> www.mydomain.com 203.131.122.194 - - [03/Jul/2003:17:01:49
> +0800] "GET
> /default.ida?

Looks like Nimda or CodeRed. The owner of the IP probably doesn't know that their box is infected. Apache is immune, so don't worry about it.

Mike

Title: Re: Query
Post by: Mike on July 04, 2003, 10:10:11 AM

Thanks for your all reply... just curious, i have found it in my httpd log, there's no sign of accept, deny or drop so I have scared. I have found this log first in my Mandrake Linux then now in my SME 5.6.

BTW thanks all of you guys...

Mike

Title: default.ida (was Re: Query)
Post by: Charlie Brady on July 04, 2003, 09:24:00 PM

Mike wrote:

> www.mydomain.com 203.131.122.194 - - [03/Jul/2003:17:01:49
> +0800] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 205 "-" "-"
...
> What this means?

A search here for "default.ida" (all dates) will give you lots of information.

A similar search on google.org will give you lots more.

Charlie