I've got a couple of dozen this month -- not sure what the source
is, but they definitely seem to be coming from just a few hosts.
Also, many of mine have no URI in the request, they just seem to
connect and not make any request.
Smells like some time of worm...
On Thu, 20 Sep 2001, Nick Tonkin wrote:
>
> Hi all, sorry to bother, but has anyone else noticed a bunch of 408
> (client timed out) requests beginning last evening?
>
> Some but not all of these have also been trying the Nimda exploit. Perhaps
> Nimda (or another Micro$oft product) is screwing up the clients?
>
> nick@world /usr/local/apachessl/bin>perl -e
> 'open(L,"/home/nick/logs/httpd_log"); while(<L>){
> chomp;my $r=m/408/?"4":m/cmd|root|c\+di/?"w":"";
> if($r){$_=~s/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*/$1/;$c{$r}{$_}++;}}
> foreach(sort{ $c{4}{$a}<=>$c{4}{$b} } keys %{ $c{4} }){
> print"$_\t\t[$c{4}{$_}]\t[$c{w}{$_}]\n";}'
> 207.249.143.170 [1] []
> 207.160.174.25 [1] []
> 62.149.161.207 [1] []
> 62.116.29.17 [1] []
> 207.113.14.149 [1] []
> 209.129.49.65 [1] []
> 207.168.157.118 [1] []
> 207.202.38.140 [1] []
> 61.134.13.47 [1] []
> 207.113.21.89 [1] []
> 24.67.119.127 [1] []
> 209.89.119.5 [1] []
> 199.201.128.19 [1] [2]
> 207.113.25.50 [1] []
> 207.42.186.90 [1] []
> 207.113.25.249 [2] []
> 207.40.42.66 [3] []
> 207.153.76.249 [4] []
> 207.241.153.3 [5] []
> 207.12.40.51 [6] [16]
> 207.183.55.149 [6] []
> 207.217.138.18 [6] []
> 207.215.53.116 [7] []
> 207.152.93.12 [8] []
> 207.152.93.17 [8] []
> 207.77.187.76 [8] []
> 207.71.8.190 [8] [384]
> 207.32.123.115 [9] []
> 207.252.220.55 [12] []
> 207.228.113.164 [12] []
> 207.242.45.234 [12] []
> 207.71.105.133 [13] [112]
> 207.30.192.101 [14] []
> 207.248.190.158 [15] []
> 207.105.76.201 [15] []
> 207.215.126.141 [15] []
> 207.232.253.221 [16] []
> 207.245.74.7 [16] []
> 206.221.254.59 [16] []
> 207.97.117.43 [16] []
> 207.208.128.185 [16] []
> 207.203.42.126 [16] []
> 207.190.221.23 [16] []
> 207.227.70.194 [16] []
> 207.127.178.25 [16] []
> 207.178.85.42 [16] []
> 207.153.199.78 [16] []
> 207.153.229.122 [16] []
> 207.236.169.100 [16] []
> 207.88.22.128 [16] []
> 207.252.1.68 [16] []
> 207.170.35.143 [16] []
> 207.212.64.137 [16] []
> 207.76.239.206 [16] []
> 207.196.218.5 [16] []
> 207.137.76.119 [17] []
> 207.71.228.1 [91] [274]
>
>
>
> ~~~~~~~~~~~
> Nick Tonkin
>
--
Steve Reppucci [EMAIL PROTECTED] |
Logical Choice Software http://logsoft.com/ |
=-=-=-=-=-=-=-=-=-=- My God! What have I done? -=-=-=-=-=-=-=-=-=-=
