Corrupted query

External Since: Jun 02, 2004 Posts: 4

Hi,

I have a small learning site that is currently running Apache 1.3.31. I run
awstats to see the effect of the various changes. Starting last month I
began getting a lot of messages about corrupted records in the access log.
They all are of the form:

219.123.50.37 - - [01/Jun/2004:02:06:04 +0900] "SEARCH /\x90\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02
\xb1\x02\xb1\x02
..
..
..
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x90\x90" 414 341 "-" "-"

with the specific query address changing on almost every query. I can't
tell how long the search string is because it is terminated in the log at
8183 of the \x.. characters.

Is this anything I should recognize or be concerned about? It looks like a
hack attempt or a virus but Apache is returning a 414 so it doesn't seem to
affect anything.

Any information would be appreciated.

TIA,

J.J.

External Since: Nov 03, 2003 Posts: 2907

J.J. Day <NOSPAM.day1234.TakeThisOut@hotmail.com> wrote:
> They all are of the form:
> 219.123.50.37 - - [01/Jun/2004:02:06:04 +0900] "SEARCH /\x90\x02\xb1\x02

It looks like some kind of Windows-Worm trying to spread around.
Davide

--
| "Virtual" means never knowing where your next byte is coming from.
|
|
|