Date: Sun, 4 Nov 2001 04:40:30 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Danny Horne <danny@clifftop.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: OT - Attack on Apache? Message-ID: <Pine.BSF.3.96.1011104041644.21955A-100000@gaia.nimnet.asn.au> In-Reply-To: <NFBBLHGNILAMKHLOOJGMAEIGCCAA.danny@clifftop.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 3 Nov 2001, Danny Horne wrote: > I've just blocked an IP at my firewall after seeing these entries (many of > them) in my Apache log. Anyone know if this was some sort of attack? I've > never seen it before myself. > > 217.82.121.20 - - [03/Nov/2001:16:06:04 +0000] "-" 408 - "-" "-" > 217.82.121.20 - - [03/Nov/2001:16:06:45 +0000] "-" 408 - "-" "-" > 217.82.121.20 - - [03/Nov/2001:16:07:34 +0000] "-" 408 - "-" "-" > 217.82.121.20 - - [03/Nov/2001:16:08:15 +0000] "-" 408 - "-" "-" 408 is a Request Timeout. 'The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time.' Most likely just the source box so bogged down that it can't complete its requests in time. I've only seen such groups of these from Windows webserver IPs infected with Nimda, 'randomly' scanning our subnet with HTTP requests. Only a bother, not a danger. Note that the first octet of the IP address is the same as yours. You may see as many or more of these (Nimda requests in general), over time, from IPs having the same first two octets as your own address. We did, anyway. Walling it off from tcp 80 access, at least until it's fixed, won't hurt :-) Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1011104041644.21955A-100000>