[Dshield] HTTP Code 408s

ALEPH0 aleph0 at pacbell.net
Sun Aug 12 19:32:37 GMT 2001


Anyone offhand know what is behind these http code 408s (timeouts)?  This
address is hitting my servers regularly (for days), some hourly, and this is
what I see in my apachelogs typically.  He is within the class B mask on
PACBELL's network.  In fact, I identified him from NIC registration, his
netbios table and smtp response.  SBC's abuse is at best slow to respond to
my complaint.  He is running IIS and was infected, according to the number
of telltale default.ida entries preceeding these.

63.206.6.187 - - [12/Aug/2001:00:43:28 -0700] "-" 408 -
63.206.6.187 - - [12/Aug/2001:00:53:48 -0700] "-" 408 -
63.206.6.187 - - [12/Aug/2001:00:59:15 -0700] "-" 408 -
63.206.6.187 - - [12/Aug/2001:02:55:58 -0700] "-" 408 -
63.206.6.187 - - [12/Aug/2001:07:06:41 -0700] "-" 408 -

I figure someone is exploiting the system and has a (faulty?) program to
open port 80 connections and not close them.   I tested this with a perl
socket script quickly and get that result in my log.

Does this look like a poor programming attempt, an annoyance, or a known
exploit attempt?  Anyone have ideas?  To me, it is nothing but log filler.




More information about the list mailing list