I haven't seen that error message before. Is the client IP in the log file an address of a known computer, or are they random?

It looks like it may be some sort of script. Trace goes to China on some, others Australia. There will be calls from the same IP maybe 4 times within a minute, then 4 or 5 more a few minutes later.

In the ssl_request_log the IPs do a call for (example):

[22/Dec/2014:09:16:07 -0600] xx.xxx.xx.xx TLSv1 DES-CBC3-SHA "GET /plus/mytag_js.php?aid=19015 HTTP/1.1" 12010

and:

[22/Dec/2014:10:10:15 -0600] xx.xxx.xx.xx TLSv1 DES-CBC3-SHA "GET /plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&arrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=85&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=49&arrs2[]=57&arrs2[]=48&arrs2[]=49&arrs2[]=53&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=101&arrs2[]=55&arrs2[]=120&arrs2[]=117&arrs2[]=101&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=101&arrs2[]=55&arrs2[]=120&arrs2[]=117&arrs2[]=101&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=119&arrs2[]=119&arrs2[]=119&arrs2[]=46&arrs2[]=101&arrs2[]=55&arrs2[]=120&arrs2[]=117&arrs2[]=101&arrs2[]=46&arrs2[]=99&arrs2[]=111&arrs2[]=109&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39&arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96 HTTP/1.1" 12010

Just installed SSL last week and was doing some log checks and wondered what it is. Script kiddies? Scraper?

These probes are looking for a known exploit in the DedeCMS website package. As your site doesn't have a /plus directory you are not using DedeCMS and therefore are not vulnerable for this specific attack. DedeCMS is a Chinese CMS package and used in a number of Asian countries which may be the reason that most of your attacks seem to come from the Asia-Pacific region.

Thanks! I appreciate the answer!

Marc

PS: I should have put the long string in BBCode's "code" so it wouldn't spread the thread. Tried to edit but I assume it's past the time allowed for an edit. My bad. Sorry about that.

Your post wraps correctly in IE 11, but it looks awkward in Chrome. It might be able to fix this with a CSS change. I filed a bug report about your post to the admins, maybe they can use that post to come up with a permanent solution for wrapping of long lines.

String also "wraps" OK in FF28 on linux ..maybe just a chrome "bug" ( I mean chrome "thing" ) ?

To clarify - I'm on OS X and was viewing in Safari. Just checked in Firefox and it wraps correctly. In Chrome it "sorta" wraps. Opera doesn't handle it well either.