I spotted this little mess in my web error log and was wondering what the heck it is and if I should be concerned? I am assuming it is an exploit attempt of some sort esp being coming from so many different ip's in such a short time. I haven't seen it since then. If this contains any sensitive infos let me know and I will edit.

#Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-status s-siteid s-reason s-queuename
2009-11-21 22:31:11 77.88.66.251 58356 74.208.153.95 80 HTTP/1.1 GET /forums/++++++++++++++++++++++++++++++++++++++Result:+%25C 3%25A8%25C3%25B1%25C3%25AF%25C3%25AE%25C3%25AB%25C 3%25BC%25C3%25A7%25C3%25B3%25C3%25A5%25C3%25AC+%25 C3%25AF%25C3%25B0%25C3%25AE%25C3%25AA%25C3%25B1%25 C3%25A8+189.8.58.59:8080;%25C3%25A7%25C3%25A0%25C3 %25B0%25C3%25A5%25C3%25A3%25C3%25A8%25C3%25B1%25C3 %25B2%25C3%25B0%25C3%25A8%25C3%25B0%25C3%25AE%25C3 %25A2%25C3%25A0%25C3%25AB%25C3%25A8%25C3%25B1%25C3 %25BC;%25C3%25A2%25C3%25AE%25C3%25B8%25C3%25AB%25C 3%25A8;%25C3%25AF%25C3%25B0%25C3%25A8%25C3%25B1%25 C3%25B3%25C3%25B2%25C3%25B1%25C3%25B2%25C3%25A2%25 C3%25B3%25C3%25A5%25C3%25B2+nofollow;%25C3%25A2%25 C3%25AE%25C3%25A7%25C3%25AC%25C3%25AE%25C3%25A6%25 C3%25AD%25C3%25AE,+%25C3%25AE%25C3%25B2%25C3%25AF% 25C3%25B0%25C3%25A0%25C3%25A2%25C3%25AB%25C3%25A5% 25C3%25AD%25C3%25AE; 400 - URL -
2009-11-21 22:31:17 208.69.231.202 56437 74.208.153.95 80 HTTP/1.1 GET /forums/++++++++++++++++++++++++++++++++++++++Result:+%25C 3%25A8%25C3%25B1%25C3%25AF%25C3%25AE%25C3%25AB%25C 3%25BC%25C3%25A7%25C3%25B3%25C3%25A5%25C3%25AC+%25 C3%25AF%25C3%25B0%25C3%25AE%25C3%25AA%25C3%25B1%25 C3%25A8+189.8.58.59:8080;%25C3%25A7%25C3%25A0%25C3 %25B0%25C3%25A5%25C3%25A3%25C3%25A8%25C3%25B1%25C3 %25B2%25C3%25B0%25C3%25A8%25C3%25B0%25C3%25AE%25C3 %25A2%25C3%25A0%25C3%25AB%25C3%25A8%25C3%25B1%25C3 %25BC;%25C3%25A2%25C3%25AE%25C3%25B8%25C3%25AB%25C 3%25A8;%25C3%25AF%25C3%25B0%25C3%25A8%25C3%25B1%25 C3%25B3%25C3%25B2%25C3%25B1%25C3%25B2%25C3%25A2%25 C3%25B3%25C3%25A5%25C3%25B2+nofollow;%25C3%25A2%25 C3%25AE%25C3%25A7%25C3%25AC%25C3%25AE%25C3%25A6%25 C3%25AD%25C3%25AE,+%25C3%25AE%25C3%25B2%25C3%25AF% 25C3%25B0%25C3%25A0%25C3%25A2%25C3%25AB%25C3%25A5% 25C3%25AD%25C3%25AE; 400 - URL -
2009-11-21 22:31:40 122.166.47.133 56199 74.208.153.95 80 HTTP/1.0 GET /forums/%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2 B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B% 2B%2B%2B%2B%2BResult:%2B%25C3%25A8%25C3%25B1%25C3% 25AF%25C3%25AE%25C3%25AB%25C3%25BC%25C3%25A7%25C3% 25B3%25C3%25A5%25C3%25AC%2B%25C3%25AF%25C3%25B0%25 C3%25AE%25C3%25AA%25C3%25B1%25C3%25A8%2B189.8.58.5 9:8080;%25C3%25A7%25C3%25A0%25C3%25B0%25C3%25A5%25 C3%25A3%25C3%25A8%25C3%25B1%25C3%25B2%25C3%25B0%25 C3%25A8%25C3%25B0%25C3%25AE%25C3%25A2%25C3%25A0%25 C3%25AB%25C3%25A8%25C3%25B1%25C3%25BC;%25C3%25A2%2 5C3%25AE%25C3%25B8%25C3%25AB%25C3%25A8;%25C3%25AF% 25C3%25B0%25C3%25A8%25C3%25B1%25C3%25B3%25C3%25B2% 25C3%25B1%25C3%25B2%25C3%25A2%25C3%25B3%25C3%25A5% 25C3%25B2%2Bnofollow;%25C3%25A2%25C3%25AE%25C3%25A 7%25C3%25AC%25C3%25AE%25C3%25A6%25C3%25AD%25C3%25A E,%2B%25C3%25AE%25C3%25B2%25C3%25AF%25C3%25B0%25C3 %25A0%25C3%25A2%25C3%25AB%25C3%25A5%25C3%25AD%25C3 %25AE; 400 - URL -
2009-11-21 22:31:50 203.82.73.198 38963 74.208.153.95 80 HTTP/1.1 GET /forums/%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2 B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B% 2B%2B%2B%2B%2BResult:%2B%25C3%25A8%25C3%25B1%25C3% 25AF%25C3%25AE%25C3%25AB%25C3%25BC%25C3%25A7%25C3% 25B3%25C3%25A5%25C3%25AC%2B%25C3%25AF%25C3%25B0%25 C3%25AE%25C3%25AA%25C3%25B1%25C3%25A8%2B189.8.58.5 9:8080;%25C3%25A7%25C3%25A0%25C3%25B0%25C3%25A5%25 C3%25A3%25C3%25A8%25C3%25B1%25C3%25B2%25C3%25B0%25 C3%25A8%25C3%25B0%25C3%25AE%25C3%25A2%25C3%25A0%25 C3%25AB%25C3%25A8%25C3%25B1%25C3%25BC;%25C3%25A2%2 5C3%25AE%25C3%25B8%25C3%25AB%25C3%25A8;%25C3%25AF% 25C3%25B0%25C3%25A8%25C3%25B1%25C3%25B3%25C3%25B2% 25C3%25B1%25C3%25B2%25C3%25A2%25C3%25B3%25C3%25A5% 25C3%25B2%2Bnofollow;%25C3%25A2%25C3%25AE%25C3%25A 7%25C3%25AC%25C3%25AE%25C3%25A6%25C3%25AD%25C3%25A E,%2B%25C3%25AE%25C3%25B2%25C3%25AF%25C3%25B0%25C3 %25A0%25C3%25A2%25C3%25AB%25C3%25A5%25C3%25AD%25C3 %25AE; 400 - URL -
2009-11-21 22:31:55 124.207.129.132 39039 74.208.153.95 80 HTTP/1.1 GET /forums/++++++++++++++++++++++++++++++++++++++Result:+%25C 3%25A8%25C3%25B1%25C3%25AF%25C3%25AE%25C3%25AB%25C 3%25BC%25C3%25A7%25C3%25B3%25C3%25A5%25C3%25AC+%25 C3%25AF%25C3%25B0%25C3%25AE%25C3%25AA%25C3%25B1%25 C3%25A8+189.8.58.59:8080;%25C3%25A7%25C3%25A0%25C3 %25B0%25C3%25A5%25C3%25A3%25C3%25A8%25C3%25B1%25C3 %25B2%25C3%25B0%25C3%25A8%25C3%25B0%25C3%25AE%25C3 %25A2%25C3%25A0%25C3%25AB%25C3%25A8%25C3%25B1%25C3 %25BC;%25C3%25A2%25C3%25AE%25C3%25B8%25C3%25AB%25C 3%25A8;%25C3%25AF%25C3%25B0%25C3%25A8%25C3%25B1%25 C3%25B3%25C3%25B2%25C3%25B1%25C3%25B2%25C3%25A2%25 C3%25B3%25C3%25A5%25C3%25B2+nofollow;%25C3%25A2%25 C3%25AE%25C3%25A7%25C3%25AC%25C3%25AE%25C3%25A6%25 C3%25AD%25C3%25AE,+%25C3%25AE%25C3%25B2%25C3%25AF% 25C3%25B0%25C3%25A0%25C3%25A2%25C3%25AB%25C3%25A5% 25C3%25AD%25C3%25AE; 400 - URL -
2009-11-21 22:32:06 165.98.133.234 54617 74.208.153.95 80 HTTP/1.0 GET /forums/%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2 B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B% 2B%2B%2B%2B%2BResult:%2B%25C3%25A8%25C3%25B1%25C3% 25AF%25C3%25AE%25C3%25AB%25C3%25BC%25C3%25A7%25C3% 25B3%25C3%25A5%25C3%25AC%2B%25C3%25AF%25C3%25B0%25 C3%25AE%25C3%25AA%25C3%25B1%25C3%25A8%2B189.8.58.5 9:8080;%25C3%25A7%25C3%25A0%25C3%25B0%25C3%25A5%25 C3%25A3%25C3%25A8%25C3%25B1%25C3%25B2%25C3%25B0%25 C3%25A8%25C3%25B0%25C3%25AE%25C3%25A2%25C3%25A0%25 C3%25AB%25C3%25A8%25C3%25B1%25C3%25BC;%25C3%25A2%2 5C3%25AE%25C3%25B8%25C3%25AB%25C3%25A8;%25C3%25AF% 25C3%25B0%25C3%25A8%25C3%25B1%25C3%25B3%25C3%25B2% 25C3%25B1%25C3%25B2%25C3%25A2%25C3%25B3%25C3%25A5% 25C3%25B2%2Bnofollow;%25C3%25A2%25C3%25AE%25C3%25A 7%25C3%25AC%25C3%25AE%25C3%25A6%25C3%25AD%25C3%25A E,%2B%25C3%25AE%25C3%25B2%25C3%25AF%25C3%25B0%25C3 %25A0%25C3%25A2%25C3%25AB%25C3%25A5%25C3%25AD%25C3 %25AE; 400 - URL -
2009-11-21 22:32:26 200.196.162.234 58606 74.208.153.95 80 HTTP/1.0 GET /forums/%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2 B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B% 2B%2B%2B%2B%2BResult:%2B%25C3%25A8%25C3%25B1%25C3% 25AF%25C3%25AE%25C3%25AB%25C3%25BC%25C3%25A7%25C3% 25B3%25C3%25A5%25C3%25AC%2B%25C3%25AF%25C3%25B0%25 C3%25AE%25C3%25AA%25C3%25B1%25C3%25A8%2B189.8.58.5 9:8080;%25C3%25A7%25C3%25A0%25C3%25B0%25C3%25A5%25 C3%25A3%25C3%25A8%25C3%25B1%25C3%25B2%25C3%25B0%25 C3%25A8%25C3%25B0%25C3%25AE%25C3%25A2%25C3%25A0%25 C3%25AB%25C3%25A8%25C3%25B1%25C3%25BC;%25C3%25A2%2 5C3%25AE%25C3%25B8%25C3%25AB%25C3%25A8;%25C3%25AF% 25C3%25B0%25C3%25A8%25C3%25B1%25C3%25B3%25C3%25B2% 25C3%25B1%25C3%25B2%25C3%25A2%25C3%25B3%25C3%25A5% 25C3%25B2%2Bnofollow;%25C3%25A2%25C3%25AE%25C3%25A 7%25C3%25AC%25C3%25AE%25C3%25A6%25C3%25AD%25C3%25A E,%2B%25C3%25AE%25C3%25B2%25C3%25AF%25C3%25B0%25C3 %25A0%25C3%25A2%25C3%25AB%25C3%25A5%25C3%25AD%25C3 %25AE; 400 - URL -
2009-11-21 22:33:01 220.181.53.231 24356 74.208.153.95 80 HTTP/1.1 GET /forums/%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2 B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B% 2B%2B%2B%2B%2BResult:%2B%25C3%25A8%25C3%25B1%25C3% 25AF%25C3%25AE%25C3%25AB%25C3%25BC%25C3%25A7%25C3% 25B3%25C3%25A5%25C3%25AC%2B%25C3%25AF%25C3%25B0%25 C3%25AE%25C3%25AA%25C3%25B1%25C3%25A8%2B189.8.58.5 9:8080;%25C3%25A7%25C3%25A0%25C3%25B0%25C3%25A5%25 C3%25A3%25C3%25A8%25C3%25B1%25C3%25B2%25C3%25B0%25 C3%25A8%25C3%25B0%25C3%25AE%25C3%25A2%25C3%25A0%25 C3%25AB%25C3%25A8%25C3%25B1%25C3%25BC;%25C3%25A2%2 5C3%25AE%25C3%25B8%25C3%25AB%25C3%25A8;%25C3%25AF% 25C3%25B0%25C3%25A8%25C3%25B1%25C3%25B3%25C3%25B2% 25C3%25B1%25C3%25B2%25C3%25A2%25C3%25B3%25C3%25A5% 25C3%25B2%2Bnofollow;%25C3%25A2%25C3%25AE%25C3%25A 7%25C3%25AC%25C3%25AE%25C3%25A6%25C3%25AD%25C3%25A E,%2B%25C3%25AE%25C3%25B2%25C3%25AF%25C3%25B0%25C3 %25A0%25C3%25A2%25C3%25AB%25C3%25A5%25C3%25AD%25C3 %25AE; 400 - URL -
2009-11-21 22:33:03 202.108.50.25 33195 74.208.153.95 80 HTTP/1.1 GET /forums/%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2 B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B% 2B%2B%2B%2B%2BResult:%2B%25C3%25A8%25C3%25B1%25C3% 25AF%25C3%25AE%25C3%25AB%25C3%25BC%25C3%25A7%25C3% 25B3%25C3%25A5%25C3%25AC%2B%25C3%25AF%25C3%25B0%25 C3%25AE%25C3%25AA%25C3%25B1%25C3%25A8%2B189.8.58.5 9:8080;%25C3%25A7%25C3%25A0%25C3%25B0%25C3%25A5%25 C3%25A3%25C3%25A8%25C3%25B1%25C3%25B2%25C3%25B0%25 C3%25A8%25C3%25B0%25C3%25AE%25C3%25A2%25C3%25A0%25 C3%25AB%25C3%25A8%25C3%25B1%25C3%25BC;%25C3%25A2%2 5C3%25AE%25C3%25B8%25C3%25AB%25C3%25A8;%25C3%25AF% 25C3%25B0%25C3%25A8%25C3%25B1%25C3%25B3%25C3%25B2% 25C3%25B1%25C3%25B2%25C3%25A2%25C3%25B3%25C3%25A5% 25C3%25B2%2Bnofollow;%25C3%25A2%25C3%25AE%25C3%25A 7%25C3%25AC%25C3%25AE%25C3%25A6%25C3%25AD%25C3%25A E,%2B%25C3%25AE%25C3%25B2%25C3%25AF%25C3%25B0%25C3 %25A0%25C3%25A2%25C3%25AB%25C3%25A5%25C3%25AD%25C3 %25AE; 400 - URL -
2009-11-21 22:33:05 140.122.127.251 40405 74.208.153.95 80 HTTP/1.0 GET /forums/%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2 B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B% 2B%2B%2B%2B%2BResult:%2B%25C3%25A8%25C3%25B1%25C3% 25AF%25C3%25AE%25C3%25AB%25C3%25BC%25C3%25A7%25C3% 25B3%25C3%25A5%25C3%25AC%2B%25C3%25AF%25C3%25B0%25 C3%25AE%25C3%25AA%25C3%25B1%25C3%25A8%2B189.8.58.5 9:8080;%25C3%25A7%25C3%25A0%25C3%25B0%25C3%25A5%25 C3%25A3%25C3%25A8%25C3%25B1%25C3%25B2%25C3%25B0%25 C3%25A8%25C3%25B0%25C3%25AE%25C3%25A2%25C3%25A0%25 C3%25AB%25C3%25A8%25C3%25B1%25C3%25BC;%25C3%25A2%2 5C3%25AE%25C3%25B8%25C3%25AB%25C3%25A8;%25C3%25AF% 25C3%25B0%25C3%25A8%25C3%25B1%25C3%25B3%25C3%25B2% 25C3%25B1%25C3%25B2%25C3%25A2%25C3%25B3%25C3%25A5% 25C3%25B2%2Bnofollow;%25C3%25A2%25C3%25AE%25C3%25A 7%25C3%25AC%25C3%25AE%25C3%25A6%25C3%25AD%25C3%25A E,%2B%25C3%25AE%25C3%25B2%25C3%25AF%25C3%25B0%25C3 %25A0%25C3%25A2%25C3%25AB%25C3%25A5%25C3%25AD%25C3 %25AE; 400 - URL -
2009-11-21 22:33:21 123.125.156.145 9509 74.208.153.95 80 HTTP/1.1 GET /forums/%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2 B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B%2B% 2B%2B%2B%2B%2BResult:%2B%25C3%25A8%25C3%25B1%25C3% 25AF%25C3%25AE%25C3%25AB%25C3%25BC%25C3%25A7%25C3% 25B3%25C3%25A5%25C3%25AC%2B%25C3%25AF%25C3%25B0%25 C3%25AE%25C3%25AA%25C3%25B1%25C3%25A8%2B189.8.58.5 9:8080;%25C3%25A7%25C3%25A0%25C3%25B0%25C3%25A5%25 C3%25A3%25C3%25A8%25C3%25B1%25C3%25B2%25C3%25B0%25 C3%25A8%25C3%25B0%25C3%25AE%25C3%25A2%25C3%25A0%25 C3%25AB%25C3%25A8%25C3%25B1%25C3%25BC;%25C3%25A2%2 5C3%25AE%25C3%25B8%25C3%25AB%25C3%25A8;%25C3%25AF% 25C3%25B0%25C3%25A8%25C3%25B1%25C3%25B3%25C3%25B2% 25C3%25B1%25C3%25B2%25C3%25A2%25C3%25B3%25C3%25A5% 25C3%25B2%2Bnofollow;%25C3%25A2%25C3%25AE%25C3%25A 7%25C3%25AC%25C3%25AE%25C3%25A6%25C3%25AD%25C3%25A E,%2B%25C3%25AE%25C3%25B2%25C3%25AF%25C3%25B0%25C3 %25A0%25C3%25A2%25C3%25AB%25C3%25A5%25C3%25AD%25C3 %25AE; 400 - URL -

They all look like spam attempts. Are you getting spam on your site?

http://www.stopforumspam.com/

They all look like spam attempts.

Nothing to do with spam. You are marketing your plugin with this "reply", LOL.

I spotted this little mess in my web error log and was wondering what the heck it is and if I should be concerned?

Looks like probes to check for vulnerabilities in your web server code.

When we see this types of exploit attempts, we (generally) use iptables and block the offending IP address. You can easily write a script to automate this.


Scan log files from a script in your crontab.
Match for exploit patterns from 404 errors, etc. (up to you).
Update iptables with offending IP and block (or confirm first with your human eyes.)

You are marketing your plugin with this "reply", LOL.Strange, since I have no plugin to market.

I googled a few of the IPs and saw they appeared on that site. No hidden agenda.

Strange, since I have no plugin to market.

Strange, it looks to an outside observer your reply was to market StopForumSpam, which is in your signature.

I mean, really, most forum jockeys know well that spam does not come to a forum by the way of a URL string with a bunch of seemingly random chars. These types of probes are common.

Did you ever see the one with the ...

.............. blah blah ......../../../../.../../../etc/passwdin your log file?

PS (EDIT): StopForumSpam is great, BTW.... The vB mod that for this is really excellent! It simply has nothing to do with the original posters question!

Strange, it looks to an outside observer your reply was to market StopForumSpam, which is in your signature.Good lord. It's a link I posted from my Google results, not a signature. My forum is listed in my signature, s0lidgr0und.org.

I mean, really, most forum jockeys know well that spam does not come to a forum by the way of a URL string with a bunch of seemingly random chars. These types of probes are common.

Did you ever see the one with the ...

in your log file?Point taken. I didn't actually move the scroll bar over far enough to see the garbage, I focused more on the IP address.

PS (EDIT): StopForumSpam is great, BTW.... The vB mod that for this is really excellent! It simply has nothing to do with the original posters question!I wouldn't know how great it is. I've actually never heard of it. My apologies for adding any thoughts to the guy's question and potentially being able to help him with his question. Lesson learned.

My apologies for adding any thoughts to the guy's question and potentially being able to help him with his question. Lesson learned.

No problem.

I don't think anyone minds when people answer other's questions. However, generally it is best to answer when you actually have experience with the problem or the expertise to help.

It just looks funny with someone posts a very off target (complete wrong) answer to a very basic question and provides a link to a site.

If you run a large forum, you will know that this is a common form of forum spam --

Read the forums and then post an "answer" with a link to another site. So, from this seat, your reply seemed like the "real" spam because you posted a link that had zero to do with the original posters question.

How would we know that your link was innocent? In our forums, this type of spam posting is deleted immediately, BTW.

Peace.