Re: new worm? or DDoS attack in progress
From: Birl (sbirl_at_temple.edu)
Date: 07/30/03
- Previous message: VanMeter, John: "RE: Command Line RPC vulnerability scanner?"
- In reply to: Jon Zobrist: "new worm? or DDoS attack in progress"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jul 2003 15:16:39 -0400 (EDT) To: incidents@securityfocus.com
As it was written on Jul 29, thus Jon Zobrist spake unto incidents:
Jon: Date: 29 Jul 2003 15:56:50 -0600
Jon: From: Jon Zobrist <jzobrist@contentwatch.com>
Jon: To: incidents <incidents@securityfocus.com>
Jon: Subject: new worm? or DDoS attack in progress
Jon:
Jon: Seems more and more clients are picking up the pace, as our proxy is
Jon: getting more and more requests.
Jon: in thttpd's logs it looks like
Jon:
Jon:
Jon: IPADDRESS - - [29/Jul/2003:15:47:38 -0600] "UNKNOWN UNKNOWN" 400 0 ""
Jon: ""
Jon:
Jon: each client seems to be making between 1 and 5 requests/second
Is this log excerpt literal?
Does it literally say "IPADDRESS" where the IP address should be?
I cannot say Ive seen method of "UNKNOWN" for either Apache or IIS on my
webservers, but I have seen entries such as this:
155.247.166.60 - - [29/Jul/2003:00:13:18 -0500] "- - HTTP/1.0" 500 239
Where 155.247.166.60 is our webserver proxy'ing to another webserver.
Thanks
Scott Birl http://concept.temple.edu/sysadmin/
Senior Systems Administrator Computer Services Temple University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: VanMeter, John: "RE: Command Line RPC vulnerability scanner?"
- In reply to: Jon Zobrist: "new worm? or DDoS attack in progress"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
