Greetings, anyone know what these are? 208.198.164.131 - - [28/Jun/2002:15:37:41 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:15:39:12 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:15:40:42 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:07:43 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:09:13 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:10:43 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:12:14 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:13:44 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:15:14 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:16:44 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:18:17 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:19:46 -0700] "-" 408 - 208.198.164.131 - - [28/Jun/2002:17:21:16 -0700] "-" 408 - I know what 408 means... 408 The Request timed out. For some reason the Server took too much time processing your Request. Net congestion is the most likely reason. Show me how to make the above entries in the access logs. I don't need to be educated about Status Codes, I need to know what kind of attack this is. (I know others that have it in their logs also) Trying 192.168.10.2... Connected to silver. Escape character is '^]'. - and this gave me a log with this: 192.168.0.2 - - [01/Jul/2002:16:13:30 -0700] "-" 200 2447 which is similar, but not quite the same. So that makes me think it's not a browser doing it. cause a browser puts a "GET /- HTTP/1.2" 404 7240 in the log. Try http://localhost/- and see what I mean. I start thinkin...hmm It COULD be that since that bastard has his ping turned off that it takes so long to get a response that apache times out. echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all telnet silver 80 Trying 192.168.10.2... Connected to silver. Escape character is '^]'. - same result: 192.168.0.2 - - [01/Jul/2002:16:37:05 -0700] "-" 200 2447 so it ain't that. (Be sure and do echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all ) I tried netcat echo - | netcat -i 60 192.168.10.2 80 and it looks just like those telnet results. I tried compiling apache-worm.c http://dammit.lt/apache-worm/apache-worm.c I don't get nothing in my logs at all from apache-worm and besides it's writes totally diferent than what I am talking about anyway. Please, what kind of attack is this? regards phil
participants (1)
-
phil