The first one came in last week via Google doing a search on the term calendar. He was stopped cold because I had DigExt on ban at the time. The page and directory he asked for don't exist.

217.21.6.7 - - [15/Oct/2003:03:05:28 -0500] "GET //vb/calendar....mma=%22;echo%20'';%20echo%20%60<pwd>%20%60;die();echo%22 HTTP/1.0" 403 332 "-" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"

Today, another guy comes in via Yahoo search on the same term. He is fed a static html page with an htm extension but then starts going up directories using similar php code as the previous guy: mma=";echo ''; echo `pass `;die();echo".

213.186.190.157 - - [20/Oct/2003:19:30:38 -0500] "GET /subdir/subdir/calendar....mma=%22;echo%20'';%20echo%20%60pass%20%60;die();echo%22 HTTP/1.0" 404 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
213.186.190.157 - - [20/Oct/2003:19:30:48 -0500] "GET /subdir/calendar....mma=%22;echo%20'';%20echo%20%60pass%20%60;die();echo%22 HTTP/1.0" 404 323 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
213.186.190.157 - - [20/Oct/2003:19:30:55 -0500] "GET /calendar....mma=%22;echo%20'';%20echo%20%60pass%20%60;die();echo%22 HTTP/1.0" 404 317 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

I don't know which script's calendar has this vulnerability they're trying to exploit. Based on the vb directory asked for in the first case perhaps it's VBulletin? I'm just posting this in case someone else here knows and can warn others to get the hole patched since script kiddies are on the hunt. It is kind of amusing though watching them try to hack into a static html page.