I'm no security whiz but my Apache logs saw a few CRv1 and CRv2 hits they looked something like this (entry modified very slighty so it won't work)

1.2.3.4 - - [19/Jul/2001:15:54:40 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53f%u0078%u0000%u00=a HTTP/1.0" 400 323

Now I only saw about 50 entries in my logs that looked like this, now I have had over 400 entries which replace the NNNNN's with XXXXX's. Also the other thing I noticed about this is if you check the IP addresses they are all gonna be comming from your /8 subnet. Example

Using this mini script

for h in `cat access_log | grep .ida?XXX | awk '{print $1}'`; do
echo "IP: " $h " HOST: " `host $h | awk '{print $5}'`
done | sort | uniq -c

it produced a list of all the IP addresses and their host names to match like so

4 IP: 66.xx.xx.xx HOST: some.host.some.isp.com.
8 IP: 66.xx.xx.xx HOST: some.host.some.isp.com.

This is where I noticed ALL ips start 66.xx.xx.xx. w my IP starts 66.xx.xx.xx so looks like there is a new variant out which scans its own /8 subnet only (Well a lot more often than CRv1 or CRv2 did). Hence the more frequent attempts.

Also in my error_log instead of seeing

[Sun Aug 5 00:13:09 2001] [error] [client xxx.xxx.xxx.xx] Client sent malformed Host header

I now get this

[Sat Aug 4 17:28:24 2001] [error] [client 66.xx.xx.xx] File does not exist: /www/html/default.ida

Anyway, Comment away !

Gareth
Gshock