HTTP 408 errors

["Thomas Frerichs" <tfrerich () shiboleth net>]

I'm getting some unusual Apache 1.3.22 log entries in my access_log. I've
included a semi-sanitized version below. The actual IP differs by a few in
the last quad.

I know the 408 error code is Request Time Out, but...

The server, running Solaris 8_x86, is not loaded at all. Tomcat 4.0.1 is
installed, but again not used. There's basically a blank page at the address
as content hasn't been uploaded yet. The log entries do not coincide with
any other access, including CodeRedII or Nimda.

All I've found so far concerning a 408 error is that Nimda through resource
exhaustion can possibly cause it. There have some vague references to the
sadmind worm, too.

Any ideas?


Tom Frerichs
tfrerich () shiboleth net

209.175.x.x - - [31/Jan/2002:11:26:29 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:28:02 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:29:32 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:31:03 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:32:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:34:04 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:35:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:37:02 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:38:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:40:03 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:41:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:43:03 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:44:34 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:46:04 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:47:33 -0700] "-" 408 - "-" "-"
209.175.x.x - - [31/Jan/2002:11:49:03 -0700] "-" 408 - "-" "-"

209.175.x.x - - [01/Feb/2002:06:36:50 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:38:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:39:51 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:41:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:42:51 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:44:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:45:52 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:47:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:48:51 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:50:21 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:51:51 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:53:22 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:54:52 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:56:22 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:57:52 -0700] "-" 408 - "-" "-"
209.175.x.x - - [01/Feb/2002:06:59:22 -0700] "-" 408 - "-" "-"

209.175.x.x - - [03/Feb/2002:12:04:59 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:06:29 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:07:59 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:09:30 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:11:00 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:12:30 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:14:00 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:15:31 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:17:00 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:18:30 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:20:00 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:21:31 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:23:01 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:24:31 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:26:01 -0700] "-" 408 - "-" "-"
209.175.x.x - - [03/Feb/2002:12:27:30 -0700] "-" 408 - "-" "-"


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com