I would suspect that these are all nimda/code red but are getting blocked at your border by NBAR on your cisco. The router drops the packets that have the nimda signature, but there isn't any way for the router to know to drop the syn-ack James On Sun, 3 Feb 2002, Thomas Frerichs wrote: > I'm getting some unusual Apache 1.3.22 log entries in my access_log. I've > included a semi-sanitized version below. The actual IP differs by a few in > the last quad. > > I know the 408 error code is Request Time Out, but... > > The server, running Solaris 8_x86, is not loaded at all. Tomcat 4.0.1 is > installed, but again not used. There's basically a blank page at the address > as content hasn't been uploaded yet. The log entries do not coincide with > any other access, including CodeRedII or Nimda. > > All I've found so far concerning a 408 error is that Nimda through resource > exhaustion can possibly cause it. There have some vague references to the > sadmind worm, too. > > Any ideas? > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 12:09:44 PST