Recently I came across lines like these in an HTTP server's access_log (I've changed the real image to "someimage.jpg" - you can browse the images folder directly since directory listing is allowed, in case you want to try with a real image):
GET http://www.hindu.com\xc2:\xc2/mp/2006/07/03/images/someimage.jpg HTTP/1.1" 400 313 "-" "webcollage/1.135a
The user agent seems to be webcollage, which is a tool to decorate the screen with random images from the web - but I guess it is faked. Obviously it was tried to use the HTTP server as HTTP proxy.
Now what I wonder about is the \xc2:\xc2 part in the URL. Without that part it would be a valid URL. With that string the first \xc2 would be interpreted as part of the top level domain, while the second one would be interpreted as port.
It didn't find any reference to a vulnerability connected to that string, but a lot of access logs via Google containing similar lines, without any explanation.
Any ideas what was tried here?
