Weird apache logs

Over the last few days I've noticed a number of weird GET requests in my apache logs. Has anybody else seen this kind of traffic or have any idea what's causing it?

66.31.196.92 - - [26/Feb/2003:05:51:24 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 66.31.196.92 - - [26/Feb/2003:05:58:22 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 66.31.196.92 - - [26/Feb/2003:06:03:23 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 66.31.196.92 - - [26/Feb/2003:06:07:23 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 66.31.196.92 - - [26/Feb/2003:06:29:06 +0800] "GET http://www.outwar.com/page.php?x=155098&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 62.0.128.157 - - [26/Feb/2003:06:40:34 +0800] "GET http://www.outwar.com/page.php?x=237155&pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 172.171.210.56 - - [24/Feb/2003:11:55:02 +0800] "GET http://www.outwar.com/page.php?x=137196&pro=1e14c3925f8337fcb0d9b447f8164 93d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)" 24.147.33.83 - - [24/Feb/2003:20:27:38 +0800] "GET http://www.outwar.com/page.php?x=309737&pro=1e14c3925f8337fcb0d9b447f816493 d HTTP/1.1" 404 291 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"

65.165.26.221 - - [26/Feb/2003:03:54:14 +0800] "GET http://www.outwar.com/page.php?x=131563 &pro=1e14c3925f8337fcb0d9b447f816493d HTTP/1.1" 400 376 "-" "-"

In a 24 hours period:
pluto:/var/log# cat /var/log/apache/access.log | grep www.outwar.com | wc -l

    189

• The traffic is from all over the place (i.e. distributed)
• every now and again the GET request contains a white space after x=number which generates a different 400 error instead of a 404.

The traffic doesn't hurt my network at all, but it is starting to fill log files. Are they just doing a probe to see what version of apache I'm running?

I also noticed this once:
217.106.89.37 - - [25/Feb/2003:10:18:51 +0800] "\x05\x01" 200 889 "-" "-"

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The version of apache I'm running:
pluto:/var/log# telnet 0 80
Trying 0.0.0.0...
Connected to 0.0.0.0.
Escape character is '^]'.
HEAD / HTTP/1.0 HTTP/1.1 200 OK
Date: Wed, 26 Feb 2003 01:56:28 GMT
Server: Apache/1.3.26 (Unix) Debian GNU/Linux mod_gzip/1.3.19.1a PHP/4.1.2 mod_perl/1.26
X-Powered-By: PHP/4.1.2
Connection: close
Content-Type: text/html; charset=iso-8859-1

Connection closed by foreign host.

Kind regards,

" there is a war going on, it's not about who has the most bullets,

         it's about who controls the information " - SNEAKERS

<Pre>Lose another weekend managing your IDS? Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> Received on Wed Feb 26 13:34:02 2003