access_log: GET /default.ida? strange occurance

[chebbie427]

Recently CodeRed.F has been floating around and we've never had to worry about it because it's an IIS issue however, I have some strange entried in my access_logs and I was hoping someone could shed some light on this for me.

The majority of these attacks have been returned with a 400, 401, or 404 which is great. The problem lies in that reviewing the logs closer, I see a couple that were sent back as 200 (example below). How is this possible? Do I have some security flaw that I am not aware of?

66.205.35.82 - - [30/Mar/2003:18:41:27 -1000] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858
%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078
%u0000%u00=a HTTP/1.0" 200 -


I am running apache 1.3.26-53 on a suse8.1 x86. Mostly default installation with the exception of two virtual servers running off the same IP, but different ports and have some directories protected with .htaccess.

Am I missing something here? Please enlighten.

Gordon

 

[sleipnir214]

Just another worm. Some poor infected IIS box is trying to share diseases with you. Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[chebbie427]

Should I be concerned that it did not send back a 400, 401, or 404?