63.82.46.11 - - [07/Aug/2001:04:06:38 -0700] "GET /default.ida?[Editor's note: Carriage returns inserted, and repetitive "X" characters snipped, to aid readability; this will appear as one line in your log].
XXXXXXXXX...snipped...XXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003
%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 27
If you're seeing this then it's not a threat to your system. It's someone's machine running windows NT 4.0 with IIS 4.0 or 5.0 enabled, Windows 2000 servers, or betas of XP with the Code Red worm running on their box. This probably means they don't know about it and it doesn't hurt us except it bloats your access logs. The information on it can be found at
http://www.cert.org/incident_notes/IN-2001-08.html
I have a question. Is there a way to set a deny rule for this with ipfw. Anyone?
-j

