Re: 403 error (too many users...): possible attack?

From: Alessandro Perilli (peris_at_tiscali.it)
Date: 06/08/03

• Next message: Paul Lynch: "Re: Not able to open remote mdb files from asp"
• Previous message: Robert Moir: "Re: Security threat - execute script to show directory"
• In reply to: Yaleo: "403 error (too many users...): possible attack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 8 Jun 2003 14:42:09 +0200

On 8 Jun 2003 05:16:25 -0700, Yaleo wrote:

> Hi to all.
>
> On 4 days of the last week I had the following problem with one of my
> servers (running Windows 2000 Server, with IIS 5, and all latest fixes
> according to Windows Update):
>
> about at the end of the working day, the web server start to responde
> 403 errors to all the users (The error is: too many users are
> connected...) and the server remains in this state until I reboot it.
> It is not possible to restart the service, because it never stops when
> I try.
>
> As far as I know, this error should appear if too many users are
> trying to connect to the web server, but It should disappear as soon
> as enough users disconnect from the server. In this case it seems the
> users (or the sessions) never expires.
>
> I looked insider the web server logs, and didn't see anything out of
> ordinary, expet the 403 errors coming up without any apparent reason.
>
> Maybe is there some kind of attack, that sends incomplete requests to
> the web server and doesn't it appear in the log?
>
> Thanks to all.
>
> Frk

Frk,
just for debugging purpose you could disable HTTP Keep-Alives feature and
see what's happen:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtech
nol/windowsserver2003/proddocs/standard/qos_enablekeepalives.asp

-- 
Alessandro Perilli
Security Consultant / Trainer
MCT - MCSE 2000 - LINUX+
CCSI - CCSE 2000 - CCSE+ NG
CCNA - CIWP - CIWSA - CCA XP
SECURITY+ 

---

• Next message: Paul Lynch: "Re: Not able to open remote mdb files from asp"
• Previous message: Robert Moir: "Re: Security threat - execute script to show directory"
• In reply to: Yaleo: "403 error (too many users...): possible attack?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Limiting repetitive file access ... > repetitively entering the same url repetitively ... What was done is to have a script monitoring the Web server logs and if ... the Web server will not even spare resources for abusing users. ... (php.general) Re: 404 with IIS (6.0) PHP, CGI, Host Header on Windows 2003 Server ... I do not see a 404 error in you web server logs. ... > to the default "any host header" value, and make your 404 request again. ... > Kristofer Gafvert ... (microsoft.public.inetserver.iis) Re: Hack attempt ... the user that your web server runs as. ... not allow inserting remote files. ... I'm Norbert Crettol, one of the sysadmins ... > Here are the logs we got (we get a remote copy of the web server logs ... (Focus-Linux) Re: Hack attempt ... (Edit php.ini OR httpd.conf and add a ... Norbert Crettol wrote: ... > Here are the logs we got (we get a remote copy of the web server logs ... (Focus-Linux) Re: Monitoring Web connections ... the logs depend on the web server software used. ... > Thanks, pkdenver ... >> the web server logs should give you all the info you are looking for. ... >>>I have a development machine I'm using to develop websites. ... (microsoft.public.windowsxp.network_web)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)