I assume this is some type of hacking attempt. I've try to Google it but all I get are sites that look like they have been exploited already.
I'm seeing requests to one of my pages that looks like this.
/listMessages.asp?page=8&catid=5+%28200+ok%29+ACCEPTED
The '(200 ok) ACCEPTED' is what is odd. But it does not appear to do anything.
I'm running on IIS 5 and ASP 3.0. Is this "hack" meant for some other type of web server?
Edit:
Normal requests look like:
/listMessages.asp?page=8&catid=5
In general it may look like either highly specific or specially crafted crack attempt that is made to look like a bug, but I suppose it is not. You should also analyse previous and further requests from this user. If it is sometimes occur from different places with no other suspicious things, it is a bug, not crack attempts.
Are all the requests coming from one IP range? Have you tried running a packet capture to see what the full request headers look like?
Only worthwhile result on Google is this, so ...
Just had this show up on an IIS 6 (Server 2003) site I manage. In this particular case, hitting a ColdFusion page (basic template file which is used across the site, including the home page), and just tacking it on to the end of the URI stem (no query string).
Same request, coming from a number of different IPs, with the following user-agent common amongst them:
No referrer information passed. 21 requests over 2 minutes, with a little over half a dozen unique IPs. Countries returned for IP include US, Bosnia, Malaysia, etcetera.
I find those entries very interesting (and not in a good way).
The basic breakdown of this from a program standpoint gives the following variables:
The catid variable is being corrupted here. ASCII code 28 is File Separator, and code 29 is Group Separator.
If possible, I would check processing of the catid variable, and otherwise ignore it if the program handles it correctly (and rejects it).
Here too several attempts during the Easter.
/+%28200+ok%29+ACCEPTED
(200 ok) ACCEPTED
This seems to be random checks against servers.
The IP can be found at the database of Stopforumspam.
http://www.stopforumspam.com/
I'm getting the same kind of request on a site running classic ASP on IIS 7. The IP addresses I'm tracing all originate with spammers. I also have no idea what they are trying to do, and it does not affect the site adversely other than to annoy us with 404 errors.
As for 200 OK Accepted, it's an HTTP status code: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
I don't have sufficient privileges to comment, but I get this as well, with the browser string:
This is against an Apache server. I don't think it's an attack as it's too infrequent and it wouldn't cause a problem on any HTTP server I can think of, except throw 404 errors.
Short answer, it may be. But given the information you give us I would say no. More logs could change the answer.