first thing,thanks for win32sux.
the mod_security2 is ok.

in my apache access logs.I am find under logs.

what means this?attack?


71.92.67.11 - - [03/Aug/2007:04:32:34 +0800] "GET / HTTP/1.1" 200 1456
68.102.148.23 - - [03/Aug/2007:04:48:45 +0800] "GET / HTTP/1.1" 200 1456
219.89.195.22 - - [03/Aug/2007:04:53:38 +0800] "GET / HTTP/1.1" 200 1456
172.192.252.178 - - [03/Aug/2007:04:56:42 +0800] "GET / HTTP/1.1" 200 1456
72.243.145.31 - - [03/Aug/2007:05:01:00 +0800] "GET / HTTP/1.1" 200 1456
67.132.13.146 - - [03/Aug/2007:05:04:49 +0800] "GET / HTTP/1.1" 200 1456
116.121.107.198 - - [03/Aug/2007:05:19:48 +0800] "GET / HTTP/1.1" 200 1456
..................
68.189.6.27 - - [03/Aug/2007:16:05:06 +0800] "GET / HTTP/1.1" 200 437
220.226.233.188 - - [03/Aug/2007:16:06:08 +0800] "GET / HTTP/1.1" 200 437
72.161.44.253 - - [03/Aug/2007:16:06:12 +0800] "GET / HTTP/1.1" 200 437
221.169.244.153 - - [03/Aug/2007:16:10:12 +0800] "GET / HTTP/1.1" 200 437
.................
57.250.245.249 - - [03/Sep/2007:06:58:32 +0800] "GET / HTTP/1.1" 200 97
86.0.51.82 - - [03/Sep/2007:07:01:19 +0800] "GET / HTTP/1.1" 200 97
207.235.120.172 - - [03/Sep/2007:07:02:03 +0800] "GET / HTTP/1.1" 200 97
142.177.25.185 - - [03/Sep/2007:07:02:15 +0800] "GET / HTTP/1.1" 200 97
205.158.116.232 - - [03/Sep/2007:07:02:42 +0800] "GET / HTTP/1.1" 200 97
210.83.227.5 - - [05/Sep/2007:02:37:47 +0800] "GET /NULL.printer HTTP/1.0 " 404
291
210.83.227.5 - - [05/Sep/2007:02:37:50 +0800] "GET /NULL.IDA?CCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb뢐�矮
000莋”䂋դŐ邐=x&\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\t\x90\x90\x90_\xeb
....................

212.72.162.197 - - [04/Aug/2007:19:53:53 +0800] "POST /xmlrpc.php HTTP/1.1" 404
286
212.72.162.197 - - [04/Aug/2007:19:53:55 +0800] "POST /blog/xmlrpc.php HTTP/1.1"
404 291
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blogs/xmlsrv/xmlrpc.php H
TTP/1.1" 404 299
212.72.162.197 - - [04/Aug/2007:19:53:59 +0800] "POST /blog/xmlsrv/xmlrpc.php HT
TP/1.1" 404 298
212.72.162.197 - - [04/Aug/2007:19:54:03 +0800] "POST /drupal/xmlrpc.php HTTP/1.
1" 404 293

This IP has tried a Microsoft IIS buffer overflow exploit on your server.

It's actually a pretty common sight.

The above is a lupper-style attack (see http://vil.nai.com/vil/content/v_136821.htm for a description, variants...). These are also common, but affects sites that serve dynamic content. Unless you run a site with a PHP backend, this traffic shouldn't warrant concern, IMO. In my case, I tell modsecurity to respond to requests for PHP content with a 404 HTTP code.