Re: OT - Attack on Apache?

From: Ian Smith (smithi@nimnet.asn.au)
Date: 11/03/01


Date: Sun, 4 Nov 2001 04:40:30 +1100 (EST)
From: Ian Smith <smithi@nimnet.asn.au>
To: Danny Horne <danny@clifftop.net>

On Sat, 3 Nov 2001, Danny Horne wrote:

> I've just blocked an IP at my firewall after seeing these entries (many of
> them) in my Apache log. Anyone know if this was some sort of attack? I've
> never seen it before myself.
>
> 217.82.121.20 - - [03/Nov/2001:16:06:04 +0000] "-" 408 - "-" "-"
> 217.82.121.20 - - [03/Nov/2001:16:06:45 +0000] "-" 408 - "-" "-"
> 217.82.121.20 - - [03/Nov/2001:16:07:34 +0000] "-" 408 - "-" "-"
> 217.82.121.20 - - [03/Nov/2001:16:08:15 +0000] "-" 408 - "-" "-"

408 is a Request Timeout. 'The client did not produce a request within
the time that the server was prepared to wait. The client MAY repeat
the request without modifications at any later time.'

Most likely just the source box so bogged down that it can't complete
its requests in time. I've only seen such groups of these from Windows
webserver IPs infected with Nimda, 'randomly' scanning our subnet with
HTTP requests. Only a bother, not a danger.

Note that the first octet of the IP address is the same as yours. You
may see as many or more of these (Nimda requests in general), over time,
from IPs having the same first two octets as your own address. We did,
anyway. Walling it off from tcp 80 access, at least until it's fixed,
won't hurt :-)

Cheers, Ian

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Relevant Pages

  • Re: breaking the model
    ... > The forms data then is in the Request object. ... HTTP Request; in this case, the form POST Request from the Page. ... client and server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Resolving record with enumerated type
    ... In a CPU BFM package, ... because data goes in two directions (request from the ... from the server to the client), you'll need some way to orchestrate ...
    (comp.lang.vhdl)
  • Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
    ... I still think that there is a lot of benefit for Secure Conversation ... message security and thefore it does not encrypt the message. ... between client and server using a UserNameToken that passes the UserName ... assuming the client request adds a proper UserNameToken... ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: Problems with wsdl-generated proxy clients
    ... the client gets the same error on my xp ... meaning that the request was malformed. ... Microsoft MSDN Online Support Lead ... Looking at the IIS logs, I didn't even see the request in the log. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Performance Issue with Runtime Image
    ... >> the client, closes the connection, then dies. ... request before even accepting the next incoming connection. ... The client program is unaffected so presumably the server is ...
    (comp.lang.smalltalk.dolphin)