The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

access_log - what is 408???

Discussion in 'Security' started by craigedmonds, Feb 19, 2014.

  1. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    Some clients have mentioned their sites are running a little slow today and upon investigation I can see that the /usr/local/apache/logs/access_log is going mental with these types of entries below.....like thousands every minute from different ip's.

    My server load is fine. Idle is 98% most times. mod_qos is not picking anything up in error_log apart from the occasional mod_qos entry.

    Could this be another type of attack?

    Should I be blocking anyb ip's registering in the access_log with +20 attempts?

    Code:
    208.180.198.235 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    208.180.198.235 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    176.33.110.202 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    176.33.110.202 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    78.93.53.146 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    78.93.53.146 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    87.239.28.229 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    87.239.28.229 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    213.87.143.113 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    213.87.143.113 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    151.240.131.199 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    151.240.131.199 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    41.254.5.34 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    41.254.5.34 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -
    71.189.193.181 - - [19/Feb/2014:14:03:43 +0000] "-" 408 -
    71.189.193.181 - - [19/Feb/2014:14:03:43 +0000] "-" 408 -
    71.175.133.235 - - [19/Feb/2014:14:03:43 +0000] "-" 408 -
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,734
    Likes Received:
    661
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    It's possible that it's an attack, but it's difficult to say for sure based solely on that log output. Have you tried blocking those IP addresses using your firewall to see if the slowness improves? Searching for "Apache 408 code" on Google yields several results that you might find useful.

    Thank you.
     
  3. cPanelPeter

    cPanelPeter Technical Analyst III
    Staff Member

    Joined:
    Sep 23, 2013
    Messages:
    569
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    According to this wikipedia link, 408 means Request Timeout

    408 Request Timeout

    The server timed out waiting for the request.[2] According to W3 HTTP specifications: "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time."
     
  4. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi,

    Yes, thats correct. But Timeout for what? cPanel is not helping me by telling me what it is.

    This entry below, means absolutely nothing and seeing the server is being hit at a rate of 30 ip's a second from seemingly random ip's, I am kind of stuck as to what to do.

    208.180.198.235 - - [19/Feb/2014:14:03:42 +0000] "-" 408 -

    For example, this ip, what is it trying to access? Port 443? Port 80? Which web site? Which Ip?

    All what I have seen about this explains it vaguely at best.

    Its all kind of depressing.
     
  5. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Craig -

    If it's in the Apache log, you know it's port 80 or 443. There might be an SSL log in the logs folder that narrows this down for you.

    Either way, this is an attack and it's pretty common. It happens to all of us. If it's just a few IPs you can consider just blocking them (assuming you have a firewall on your server). Mod_reqtimeout might help with this, but I've never specifically used this on a client's server for 408 errors, because they typically don't actually cause a problem.

    EasyApache: Custom Modules (
     
  6. craigedmonds

    craigedmonds Well-Known Member

    Joined:
    Oct 29, 2007
    Messages:
    107
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    cPanel Access Level:
    Root Administrator
    Twitter:
    I am seeing them in /var/log/httpd/audit_log

    Going to find the ssl log now.

    I am using ASL firewall from gotroot.com. I have just emailed them also to look into it.

    And yeah, I have 14 production cpanel server and they get attacked all the time mainly with wordpress attacks but this server is the only one that this weird 408 issue is happening with. Its almost like the attackers have tried everything and this finally works!

    Due to the amount of 408 entries, its the only thing I can think of causing a slowdown on the server and like I said, load is low, idle is high, port 80 connection are non existant.

    - - - Updated - - -

    It just occured to me to run #watch -n 1.0 "netstat -ano | grep -v unix | grep ESTABLISHED | grep \:443" to check the ssl connections and look at the screenshot!!!

    http://www.screencast.com/t/9au6GFc1

    Now I just need to figure out which site(s) they are trying to hit on the server.
     

Share This Page