is this a attack to my web server

ohcarol · 12-29-2004, 05:52 AM

Hello I am running redhat 6.1 and apache 1.3 server. I saw this request in my apache access_log file. Is this a attack to my webserver?

202.79.48.15 - - [09/Nov/2004:14:53:13 +0545] "SEARCH /\x90\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc 9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\ xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc 9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\ xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc 9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\ xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc 9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\ xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc 9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\ xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc
9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc 9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\
xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\xc9\ xc9\xc9\xc9\xc9\xc9\xc9\xc9\

Technoslave · 12-29-2004, 08:59 AM

The short answer, yes.

The long answer, it's probably just a worm trying to go through and take over your IIS server ... yeah, I said it, IIS. Anyway, your best bet is to google for that string and throw in there webserver, you'll probably find the complete answer.

Most of the things like that that I've seen in my logs have been worms attempting to exploit an unpatched version of IIS...yes, I run apache, but worms don't care.