Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: HTTP 408 errors
From: James Golovich <james () wwnet net>
Date: Mon, 4 Feb 2002 12:03:19 -0500 (EST)
I would suspect that these are all nimda/code red but are getting blocked
at your border by NBAR on your cisco.  The router drops the packets that
have the nimda signature, but there isn't any way for the router to know
to drop the syn-ack

James



On Sun, 3 Feb 2002, Thomas Frerichs wrote:


I'm getting some unusual Apache 1.3.22 log entries in my access_log. I've
included a semi-sanitized version below. The actual IP differs by a few in
the last quad.

I know the 408 error code is Request Time Out, but...

The server, running Solaris 8_x86, is not loaded at all. Tomcat 4.0.1 is
installed, but again not used. There's basically a blank page at the address
as content hasn't been uploaded yet. The log entries do not coincide with
any other access, including CodeRedII or Nimda.

All I've found so far concerning a 408 error is that Nimda through resource
exhaustion can possibly cause it. There have some vague references to the
sadmind worm, too.

Any ideas?





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]