Greetings,
anyone know what these are? 208.198.164.131 - - [28/Jun/2002:15:37:41 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:15:39:12 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:15:40:42 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:07:43 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:09:13 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:10:43 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:12:14 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:13:44 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:15:14 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:16:44 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:18:17 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:19:46 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:21:16 -0700] "-" 408 -
I know what 408 means... 408 The Request timed out. For some reason the Server took too much time processing your Request. Net congestion is the most likely reason.
Show me how to make the above entries in the access logs. I don't need to be educated about Status Codes, I need to know what kind of attack this is. (I know others that have it in their logs also)
Trying 192.168.10.2... Connected to silver. Escape character is '^]'.
-
and this gave me a log with this: 192.168.0.2 - - [01/Jul/2002:16:13:30 -0700] "-" 200 2447
which is similar, but not quite the same. So that makes me think it's not a browser doing it. cause a browser puts a "GET /- HTTP/1.2" 404 7240 in the log. Try http://localhost/- and see what I mean.
Are you filtering incoming http-request somehow? Like for nimda requests or stuff? This could mean that you just see the syn/ack part of an attack. Or perhaps just a nimda infected host which has a memory leak ;-) and can't compete the requests. As for how to produce a log entry like that: 1. bleutgen@baal:~ > telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 2. do nothing 3. repeat 2 until something happens 4. the shell will close after some time (apache's timeout, can be up to 5mins) 5. apache log: 127.0.0.1 - - [02/Jul/2002:08:18:02 +0200] "-" 408 - cheers, oliver