-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Thomas, I've got them in my logs as well, on my home machine, and some of the class C address ranges I administer. The server OS'es include Solaris, Linux & FreeBSD. I haven't been able to correlate whether these request timeouts are related to a Nimda resource exhaustion on the clients end. I usually get hit by the same set of IP's on a regular basis, and the ones that I have seen the apache error 408's are not in that range. I don't have any snort data on this, either. Chip ====== Chip McClure Sr. Unix Administrator GigGuardian, Inc. http://www.gigguardian.com/ ====== - -----Original Message----- From: Thomas Frerichs [mailto:tfrerichat_private] Sent: Sunday, February 03, 2002 9:54 PM To: incidentsat_private Subject: HTTP 408 errors I'm getting some unusual Apache 1.3.22 log entries in my access_log. I've included a semi-sanitized version below. The actual IP differs by a few in the last quad. I know the 408 error code is Request Time Out, but... The server, running Solaris 8_x86, is not loaded at all. Tomcat 4.0.1 is installed, but again not used. There's basically a blank page at the address as content hasn't been uploaded yet. The log entries do not coincide with any other access, including CodeRedII or Nimda. All I've found so far concerning a 408 error is that Nimda through resource exhaustion can possibly cause it. There have some vague references to the sadmind worm, too. Any ideas? Tom Frerichs tfrerichat_private 209.175.x.x - - [31/Jan/2002:11:26:29 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:28:02 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:29:32 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:31:03 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:32:33 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:34:04 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:35:33 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:37:02 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:38:33 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:40:03 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:41:33 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:43:03 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:44:34 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:46:04 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:47:33 -0700] "-" 408 - "-" "-" 209.175.x.x - - [31/Jan/2002:11:49:03 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:36:50 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:38:21 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:39:51 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:41:21 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:42:51 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:44:21 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:45:52 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:47:21 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:48:51 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:50:21 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:51:51 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:53:22 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:54:52 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:56:22 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:57:52 -0700] "-" 408 - "-" "-" 209.175.x.x - - [01/Feb/2002:06:59:22 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:04:59 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:06:29 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:07:59 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:09:30 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:11:00 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:12:30 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:14:00 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:15:31 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:17:00 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:18:30 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:20:00 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:21:31 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:23:01 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:24:31 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:26:01 -0700] "-" 408 - "-" "-" 209.175.x.x - - [03/Feb/2002:12:27:30 -0700] "-" 408 - "-" "-" - ---------------------------------------------------------------------- - ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 iQA/AwUBPF6/95uKtP8CSC69EQJ8gQCfRhtX1w5y+ODEywtNocVclYeuKNkAnjym mPgCGnN/HcK+bYAWCp6GphqJ =Bfwh -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 10:16:16 PST