Return-Path: Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 90535 invoked by uid 500); 17 Jan 2003 09:21:15 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 90520 invoked from network); 17 Jan 2003 09:21:14 -0000 Received: from shawidc-mo1.cg.shawcable.net (HELO pd4mo3so.prod.shaw.ca) (24.71.223.10) by daedalus.apache.org with SMTP; 17 Jan 2003 09:21:14 -0000 Received: from pd6mr4so.prod.shaw.ca (pd6mr4so-qfe3.prod.shaw.ca [10.0.141.219]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H8U00NFXPZR54@l-daemon> for users@httpd.apache.org; Fri, 17 Jan 2003 02:21:27 -0700 (MST) Received: from pn2ml7so.prod.shaw.ca (pn2ml7so-qfe0.prod.shaw.ca [10.0.121.151]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H8U006LJPZRK8@l-daemon> for users@httpd.apache.org; Fri, 17 Jan 2003 02:21:27 -0700 (MST) Received: from shaw.ca ([24.80.110.238]) by l-daemon (iPlanet Messaging Server 5.1 HotFix 0.8 (built May 12 2002)) with ESMTP id <0H8U00H0RPZP7S@l-daemon> for users@httpd.apache.org; Fri, 17 Jan 2003 02:21:27 -0700 (MST) Date: Fri, 17 Jan 2003 01:19:13 +0000 From: "J. Greenlees" To: users@httpd.apache.org Message-id: <3E275A11.8080101@shaw.ca> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.1) Gecko/20020826 References: <016801c2be07$cf4be020$1a01a8c0@sbvr.com> X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Subject: Re: [users@httpd] Errors!!!! system@eluminoustechnologies.com wrote: > Hello All, > > Now this time the IPs are changed? Do u all think that my assumption is > Correct Could all these Machine's Contains Code-Red Virus and they are > tyring to access my server? > All these ips are sending malform header to my server ? or may be thery > are Spoofed? > > 200.47.173.193 > 24.193.133.39 > 24.112.84.250 > 213.10.131.56 > 63.187.80.237 > 195.38.28.40 > 148.223.124.179 > 217.157.86.9 > 218.5.87.83 > > [root@server admusr]# cat /etc/httpd/logs/access_log | grep 217.157.86.9 > 217.157.86.9 - - [17/Jan/2003:03:17:39 -0500] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 400 333 "-" "-" > [root@server admusr]# cat /etc/httpd/logs/access_log | grep 218.5.87.83 > 218.5.87.83 - - [17/Jan/2003:03:52:03 -0500] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 400 327 "-" "-" > Help me pls. > > Regards, > > Cindy 9 isn't many at all. I went through my logs after being up an running for a week and had 300 infected servers in them. most from my isp's network, since they promote windows and iis. sent the logs to them and it dropped to only 50 infected servers a week. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org