Site owners: Do any of these appear in your 404 not found log?

1.) /galaxy_65304.65650 1 request

2.) /cobalt-images/welcome2.gif 1 request

3.) /NULL.ida 1 request

4.) /NULL.idq 1 request

I just noticed them today in my logs. (It's been a while since I checked last. Maybe a week or so.)

#1 looks like a session. odd because my site has nothing to do with stars and such. and most of the site is static except for a shopping cart in the cgi-bin

#2 is weird because I don't have a directory remotely similar. (and no graphics titled 'welcome') and we use red, white and black--no cobalt

It is more likely #3 and #4 are not regular surfers as no one would actually look for something "null"

Does anyone know of a virus/infected system that requests NULL.ida or NULL.idq?

Does anyone know what the extensions .ida and .idq stand for?

No results from a few searches in the forums...so any help would be appreciated.

Thanks!
Jake

Maybe #2 is an easy way for a person/program/script to check if the server is a cobalt raq which would be vulnerable to a given set of exploits? Just a wild guess...

Jeff, Thanks a lot for the info.

I think I'll add these in .htaccess (with RewriteCond) if I get any more requests for any of them.

Well I'm afraid it falls short of info as it was purely a 100% guess and I'm not sure if it was a good one or not. I was just thinking in another forum if it was a good idea to leave the default aliases which make it easy to identify a plesk vs. a ensim vs. a cobalt raq (or even a FutureQuest server for that matter)by simply trying the unique cp URL's. But I'm not sure if anyone would actually think to check for cp aliased images when checking out a server (maybe there’s rube-goldberg cracker contest...?)

#2 is probably a probe from NetCraft (http://www.netcraft.com/). They collect statistical information about what types of webservers are used. They are probing to see if the site runs on a Cobalt (http://www.cobalt.com/) machine. If you do a lookup on the IP address, you'll see it's probably coming from ariston.netcraft.com.

#3 and #4 must be probes from infected IIS servers, probably infected with Nimda. .ida and .idq files are used on Microsoft webservers.

Jeff makes good guesses. One of my clients is on a Cobalt (<sigh> wish I could move him from a very unresponsive web host). The gif looks like this: Cobalt gif (http://www.baddayfishing.com/cobalt-images/welcome2.gif).

I checked the IP address and #2 is coming from netcraft.com

A picture's worth a thousand words--now I have a clearer idea of what they were looking for.

Thank you very much for all your help everyone.