Yes, it’s just that bots run around the network, sort through the ranges of ip addresses and sort out possible vulnerabilities… If you have software with all the necessary patches, then hammer it and that’s it…
Crowds of such people run around on my server… And in 5 years – nothing…

What other slashes in reverse order? \xHH is the hex representation of a byte. Binary data is passed to the web server, so there is no method in the logs and their hex representation is displayed. I just tried to telnet
to myself some rubbish, this is what appeared in the logs:
Although it looks like a buffer overflow attack, I doubt it's an exploit. Perhaps these requests are not intended for the web server at all, but for some reason they come to you on port 80.
The truth confuses that the statuses of the answer are different. By the way, the size of the main page is not by chance 4892 bytes?

And I have such along with "GET /php/admin" and similar ban by IP script. Just in case…

I guessed that the bots were walking around deepazanou, because. I have a dynamic IP, and somehow I can’t call it a targeted attack.
Another question, specifically on this entry:
(IP3 was here) - - [21/Apr/2012:06:51:07 +0000] ";\xaf\x7f]\x19\xf0\xdd\xcf\xf8\ [email protected]$\xb1" 200 4892
I understand that the server accepted this request (if the response code is 200), but how do you know how he reacted to it, and were there any consequences?
>And I have such, along with "GET /php/admin" and similar ban by IP script. Just in case...
Yes, these comrades are logging just in batches)))

>well, go to this url and take a look
And so I understand this line is not a URL in principle, here even the slashes are in the reverse order, as you can see. Plus, in the logs, even with such a substitution, it is clearly recorded: GET request is a curve, the file was not found. Whereas with the original entries in the logs there is no way to transfer data (POST / GET), just the time and this line, i.e. as if just someone was knocking on a visit, without a specific request for the contents of the server.
I looked on the net, in particular, there are a lot of similar topics on the same Stackoverflow, people also wondered what kind of requests in the logs, they came to the conclusion that this was really an attack, a shellcode, to be more precise.

Through telnet? Hmm, I didn’t think about it, I inserted the line into the browser, which changed all backslashes (\) to just slashes (/) and a GET request was recorded in the logs, I meant this when I was talking about the order (sorry, I didn’t get enough sleep, so I didn’t expressed exactly).
As for the main account, there really is this figure, I just looked in the properties: 4.77 KB (4,892 bytes). What is it and how does it relate to these crooked queries?