[Dshield] HTTP Code 408s

M. Poole urgen at triyana.mine.nu
Mon Aug 13 00:30:26 GMT 2001


I have a few, too.  But not recent like yours.  And not repeating IP either.
Could they be a side effect of all those ARP floods causing denial of
service?

65.113.167.152 - - [06/Aug/2001:12:34:32 -0700] "-" 408 -
65.30.36.59 - - [06/Aug/2001:22:42:35 -0700] "-" 408 -
209.54.123.10 - - [07/Aug/2001:16:13:09 -0700] "-" 408 -

    Mark

----- Original Message -----
From: "ALEPH0" <aleph0 at pacbell.net>
To: "Dshield List" <dshield at dshield.org>
Sent: Sunday, August 12, 2001 12:32 PM
Subject: [Dshield] HTTP Code 408s


> Anyone offhand know what is behind these http code 408s (timeouts)?  This
> address is hitting my servers regularly (for days), some hourly, and this
is
> what I see in my apachelogs typically.  He is within the class B mask on
> PACBELL's network.  In fact, I identified him from NIC registration, his
> netbios table and smtp response.  SBC's abuse is at best slow to respond
to
> my complaint.  He is running IIS and was infected, according to the number
> of telltale default.ida entries preceeding these.
>
> 63.206.6.187 - - [12/Aug/2001:00:43:28 -0700] "-" 408 -
> 63.206.6.187 - - [12/Aug/2001:00:53:48 -0700] "-" 408 -
> 63.206.6.187 - - [12/Aug/2001:00:59:15 -0700] "-" 408 -
> 63.206.6.187 - - [12/Aug/2001:02:55:58 -0700] "-" 408 -
> 63.206.6.187 - - [12/Aug/2001:07:06:41 -0700] "-" 408 -
>
> I figure someone is exploiting the system and has a (faulty?) program to
> open port 80 connections and not close them.   I tested this with a perl
> socket script quickly and get that result in my log.
>
> Does this look like a poor programming attempt, an annoyance, or a known
> exploit attempt?  Anyone have ideas?  To me, it is nothing but log filler.
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
>





More information about the list mailing list