I saw someome complaining about their server, and decided to take a look at my server's logs. The main domain's log is cluttered with stuff over the past several days that looks like this: 63.229.248.108 - - [08/Aug/2001:21:57:21 -0700] "GET /default.ida?XXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090 %u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u 531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 277 63.231.70.17 - - [08/Aug/2001:22:03:20 -0700] "GET /default.ida?XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u 6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 277 A grep on stuff just this month shows: >grep '/Aug/2001:' akash*access | grep 'default.ida' | wc 499 4990 227105 Just for fun, here's a look at the front of the lines from the first 40 entries since Aug 1: >grep '/Aug/2001:' akash*access | grep 'default.ida' | c 1-70 | head -40 211.20.168.125 - - [01/Aug/2001:08:14:16 -0700] "GET /default.ida?NNNN 62.154.210.21 - - [01/Aug/2001:08:29:14 -0700] "GET /default.ida?NNNNN 211.240.34.175 - - [01/Aug/2001:09:08:49 -0700] "GET /default.ida?NNNN wwwsv.chuokai-kagawa.or.jp - - [01/Aug/2001:10:01:11 -0700] "GET /defa 211.32.101.2 - - [01/Aug/2001:10:09:16 -0700] "GET /default.ida?NNNNNN 202.156.0.10 - - [01/Aug/2001:11:15:02 -0700] "GET /default.ida?NNNNNN pec-30-35.tnt4.me2.uunet.de - - [01/Aug/2001:11:46:31 -0700] "GET /def 216.142.223.104 - - [01/Aug/2001:11:55:07 -0700] "GET /default.ida?NNN 210.91.45.212 - - [01/Aug/2001:13:34:54 -0700] "GET /default.ida?NNNNN 61.168.133.67 - - [01/Aug/2001:13:56:03 -0700] "GET /default.ida?NNNNN bre130137-1.gw.connect.com.au - - [01/Aug/2001:16:31:55 -0700] "GET /d 24.27.246.31 - - [01/Aug/2001:17:05:34 -0700] "GET /default.ida?NNNNNN 200.161.15.36 - - [01/Aug/2001:17:15:46 -0700] "GET /default.ida?NNNNN 216.136.30.230 - - [01/Aug/2001:17:24:25 -0700] "GET /default.ida?NNNN www.cofe.ru - - [01/Aug/2001:17:29:35 -0700] "GET /default.ida?NNNNNNN 206.231.228.163 - - [01/Aug/2001:17:31:50 -0700] "GET /default.ida?NNN www.headcountsystems.com - - [01/Aug/2001:18:47:09 -0700] "GET /defaul h-207-148-146-62.dial.cadvision.com - - [01/Aug/2001:20:01:10 -0700] " 165.132.59.117 - - [01/Aug/2001:20:04:03 -0700] "GET /default.ida?NNNN mail.biodynamics.com.na - - [01/Aug/2001:22:36:00 -0700] "GET /default 62.225.135.227 - - [01/Aug/2001:23:25:00 -0700] "GET /default.ida?NNNN 61.163.224.70 - - [01/Aug/2001:23:59:37 -0700] "GET /default.ida?NNNNN acaf8a6c.ipt.aol.com - - [02/Aug/2001:00:35:42 -0700] "GET /default.id 211.172.183.254 - - [02/Aug/2001:00:45:38 -0700] "GET /default.ida?NNN c1474844-a.hlndpk1.il.home.com - - [02/Aug/2001:00:52:42 -0700] "GET / 61-222-57-133.hinet-ip.hinet.net - - [02/Aug/2001:01:46:11 -0700] "GET host-209-214-61-228.aby.bellsouth.net - - [02/Aug/2001:02:17:10 -0700] abesancon-101-1-2-212.abo.wanadoo.fr - - [02/Aug/2001:03:24:03 -0700] msp-65-25-207-2.mn.rr.com - - [02/Aug/2001:04:06:06 -0700] "GET /defau 211.52.85.52 - - [02/Aug/2001:05:17:33 -0700] "GET /default.ida?NNNNNN 61-216-187-98.hinet-ip.hinet.net - - [02/Aug/2001:05:21:20 -0700] "GET 61.161.52.88 - - [02/Aug/2001:05:43:44 -0700] "GET /default.ida?NNNNNN 146.145.90.95 - - [02/Aug/2001:08:06:21 -0700] "GET /default.ida?NNNNN 209.163.178.28 - - [02/Aug/2001:08:53:40 -0700] "GET /default.ida?NNNN 211.169.219.4 - - [02/Aug/2001:09:16:02 -0700] "GET /default.ida?NNNNN 64.85.89.24 - - [02/Aug/2001:09:59:47 -0700] "GET /default.ida?NNNNNNN 210.92.113.5 - - [02/Aug/2001:10:22:43 -0700] "GET /default.ida?NNNNNN 202.31.233.3 - - [02/Aug/2001:13:17:28 -0700] "GET /default.ida?NNNNNN uu212-190-133-37.unknown.uunet.be - - [02/Aug/2001:13:18:45 -0700] "GE 61.78.75.202 - - [02/Aug/2001:13:26:19 -0700] "GET /default.ida?NNNNNN Lots of IPs with no corresponding domain names! Very interesting! Freq counts by day: >grep '01/Aug/2001:' akash*access | grep 'default.ida' | wc 22 220 9924 >grep '02/Aug/2001:' akash*access | grep 'default.ida' | wc 26 260 11778 >grep '03/Aug/2001:' akash*access | grep 'default.ida' | wc 18 180 8112 >grep '04/Aug/2001:' akash*access | grep 'default.ida' | wc 25 250 11367 >grep '05/Aug/2001:' akash*access | grep 'default.ida' | wc 36 360 16572 >grep '06/Aug/2001:' akash*access | grep 'default.ida' | wc 86 860 39254 >grep '07/Aug/2001:' akash*access | grep 'default.ida' | wc 118 1180 53611 >grep '08/Aug/2001:' akash*access | grep 'default.ida' | wc 168 1680 76487 I don't like this curve!!! Does this indicate anything about my machine, or it is just a reflection of the pervasiveness of this worm? -David