It hit me as well. I have the entire ip 61. blocked and somehow the server return a 404 and not a 403. Any "~" following the root "/" sends my server to users subdirectory. Maybe looking for some user accounts exploits on the server. Just as puzzled as you are. Would like to know more, maybe in the apache forum we might find help.

Just for kicks, I used that filename to make a request to my website. I noticed that the ^ character was converted to %5E by my browser (Firefox .8), making the filename ~!%5E~!%5E~!.html

Of course, the above may be totally irrelevent :)

I also asked this question in the Apache Webserver forum, here: [webmasterworld.com...]

So far nobody there has an answer for what hack is being attempted. I like the idea that was posted here about sub-user accounts beginning with a tilde, as a possible exploit attempt. We do need to find out what these people are up to.

Wiz

"GET /~!^~!^~!.html HTTP/1.1"

~!^ are so called "unsafe" characters and should not be used in URLs without encoding. Why are they called "unsafe"? Because "Some characters present the possibility of being misunderstood within URLs for various reasons. These characters should also always be encoded."

Its not a hack - just some error in testing bot or something like this. Or maybe some error converting Unicode (Chinese) to ASCII.

Oh, I see now. Somebody in China is testing a new Bot, which they have named "google" and because they are so new in the business they haven't learned yet how to translate their typed alphabet into a unicode character set. They just happened to be browsing the Internet and found our sites by accident, then, instead of requesting / (the default root file) they asked for some untranslatable file, with "unsafe" characters, but, mysteriously ending in the readable .html? I don't buy it.

Besides, if it is a search bot, it didn't request Robots.txt, like most SEs do. It only asked for that one "unsafe" filename, got a server 404, and went away (to visit JD's website).

Wiz

Filename looks pretty safe to me, its just characters called unsafe. Anything could have happened, you will probably never know what, it does not look like a hack attempt unless you know specific problem with Apache losing it when "/~!^~!^~!.html" is requested. Just relax and let it go - strange things happen on the Internet and many of those things mean nothing and therefore not worth losing good night sleep over.

to visit JD's website

Yeah, it did indeed come by after you kicked it out, but was rejected as a Googlebot spoof.

61.135.***.173 - - [26/Aug/2004:12:33:31 -0500] "GET /~!^~!^~!.html HTTP/1.1" 403 646 "-" "google"

Hopefully it's just a badly-coded junk robot stuck in a loop, and not a specific exploit attempt. If it was indeed something bad, I suspect we'd have heard about it on some of the security sites by now.

Jim