Re: OT - Attack on Apache?

From: Ian Smith (smithi@nimnet.asn.au)
Date: 11/03/01


Date: Sun, 4 Nov 2001 04:40:30 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Danny Horne <danny@clifftop.net>

On Sat, 3 Nov 2001, Danny Horne wrote:

> I've just blocked an IP at my firewall after seeing these entries (many of
> them) in my Apache log. Anyone know if this was some sort of attack? I've
> never seen it before myself.
>
> 217.82.121.20 - - [03/Nov/2001:16:06:04 +0000] "-" 408 - "-" "-"
> 217.82.121.20 - - [03/Nov/2001:16:06:45 +0000] "-" 408 - "-" "-"
> 217.82.121.20 - - [03/Nov/2001:16:07:34 +0000] "-" 408 - "-" "-"
> 217.82.121.20 - - [03/Nov/2001:16:08:15 +0000] "-" 408 - "-" "-"

408 is a Request Timeout. 'The client did not produce a request within
the time that the server was prepared to wait. The client MAY repeat
the request without modifications at any later time.'

Most likely just the source box so bogged down that it can't complete
its requests in time. I've only seen such groups of these from Windows
webserver IPs infected with Nimda, 'randomly' scanning our subnet with
HTTP requests. Only a bother, not a danger.

Note that the first octet of the IP address is the same as yours. You
may see as many or more of these (Nimda requests in general), over time,
from IPs having the same first two octets as your own address. We did,
anyway. Walling it off from tcp 80 access, at least until it's fixed,
won't hurt :-)

Cheers, Ian

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message