Our company site just went live and the very first entry in access.log looks like a tentative exploit :)
Any idea on which one it could be?
Here's the relevant line:
79.168.7.121 - - [28/Jan/2011:13:19:25 +0100] "Z\xc0\xf5\x95\xb8Un\xff\x9ecA\xd1\xc2/\xfc\x94n\x8epeM\xdc\x18#\xb3\xc8\xa5\xbe)\xbci\xe2\xf5\x02,\x97\xc0\x96\x9e\xa9\xf8;i\x1a\x86\x01" 200 4855 "-" "-"
I don't mean to discount the validity of your question, but past a certain point, chasing this kind of log traffic just becomes prohibitively time-costly. Script kiddies, automated exploit-probing bots, badly-designed web spiders - they'll all come pay your web server a visit at some point, and they'll all leave bizarre entries in your access logs. What you need to consider, and develop a log analysis strategy to expose, is when access to privileged resources are granted in correlation with these weird lines; you should key your log analysis on finding unexpected privileged access, rather than unexpected requests. Consider how to link your web server access logs against your web application logs to get a better view of what actually constitutes unexpected access. I realize that's pretty general advice, but I hope it's somewhat useful.
The IP address is from Lisboa, Portugal (as any GeoIP service can tell you). The "\x" escapes are escapes to specify Unicode codepoints, so they should resolve to something more or less meaningful.
But it seems the requests yielded a HTTP 200?
Could be a buffer overflow exploit.
