RE: HTTP 408 errors

["Chip McClure" <vhm3 () hades gigguardian com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Thomas,

I've got them in my logs as well, on my home machine, and some of the
class C address ranges I administer. The server OS'es include
Solaris, Linux & FreeBSD. I haven't been able to correlate whether
these request timeouts are related to a Nimda resource exhaustion on
the clients end. I usually get hit by the same set of IP's on a
regular basis, and the ones that I have seen the apache error 408's
are not in that range.

I don't have any snort data on this, either.

Chip

======
Chip McClure
Sr. Unix Administrator
GigGuardian, Inc.

http://www.gigguardian.com/
====== 

- -----Original Message-----
From: Thomas Frerichs [mailto:tfrerich () shiboleth net]
Sent: Sunday, February 03, 2002 9:54 PM
To: incidents () securityfocus com
Subject: HTTP 408 errors


I'm getting some unusual Apache 1.3.22 log entries in my access_log.
I've
included a semi-sanitized version below. The actual IP differs by a
few in
the last quad.

I know the 408 error code is Request Time Out, but...

The server, running Solaris 8_x86, is not loaded at all. Tomcat 4.0.1
is
installed, but again not used. There's basically a blank page at the
address
as content hasn't been uploaded yet. The log entries do not coincide
with
any other access, including CodeRedII or Nimda.

All I've found so far concerning a 408 error is that Nimda through
resource
exhaustion can possibly cause it. There have some vague references to
the
sadmind worm, too.

Any ideas?


Tom Frerichs
tfrerich () shiboleth net

209.175.x.x - - [31/Jan/2002:11:26:29 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:28:02 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:29:32 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:31:03 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:32:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:34:04 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:35:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:37:02 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:38:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:40:03 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:41:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:43:03 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:44:34 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:46:04 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:47:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:49:03 -0700] "-" 408 - "-" "-"

209.175.x.x - - [01/Feb/2002:06:36:50 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:38:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:39:51 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:41:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:42:51 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:44:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:45:52 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:47:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:48:51 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:50:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:51:51 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:53:22 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:54:52 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:56:22 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:57:52 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:59:22 -0700] "-" 408 - "-" "-"

209.175.x.x - - [03/Feb/2002:12:04:59 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:06:29 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:07:59 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:09:30 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:11:00 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:12:30 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:14:00 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:15:31 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:17:00 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:18:30 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:20:00 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:21:31 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:23:01 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:24:31 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:26:01 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:27:30 -0700] "-" 408 - "-" "-"


- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8

iQA/AwUBPF6/95uKtP8CSC69EQJ8gQCfRhtX1w5y+ODEywtNocVclYeuKNkAnjym
mPgCGnN/HcK+bYAWCp6GphqJ
=Bfwh
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com