Does anyone have any ideas what attack this might be? Below shows 4 seperate potential attacks by 3 different hosts, this is all the activity in my logs for those three hosts, nothing more anywhere related to those three ip address. It starts with a request for the directory /sumthin maybe tries a header exploit by sending a VERSION method? and connects ssl. My googling and mailing list searches dont turn anything up about what this might be. Anyone else see these hits for the /sumthin directory or know what they might be? Sorry for the long lines of log and wrap. Cheers, ----------------------------------------------- [philbo:/var/log/httpd] root# grep 205.221.242.1 * access_combined_log:205.221.242.1 - - [16/Oct/2002:16:14:23 -0400] "GET /sumthin HTTP/1.0" 404 201 "-" "-" access_log:205.221.242.1 - - [16/Oct/2002:16:14:23 -0400] "GET /sumthin HTTP/1.0" 404 201 error_log:[Wed Oct 16 16:14:23 2002] [error] [client 205.221.242.1] File does not exist: /home/webserver/Documents/sumthin ssl_engine_log:[16/Oct/2002 16:14:23 26577] [info] Connection to child 4 established (server philbo.stonecruz.com:443, client 205.221.242.1) ------------------------------------------------- [philbo:/var/log/httpd] root# grep 62.233.149.2 * access_combined_log:62.233.149.2 - - [10/Oct/2002:14:30:55 -0400] "GET /sumthin HTTP/1.0" 404 201 "-" "-" access_log:62.233.149.2 - - [10/Oct/2002:14:30:55 -0400] "GET /sumthin HTTP/1.0" 404 201 error_log:[Thu Oct 10 14:30:55 2002] [error] [client 62.233.149.2] File does not exist: /home/webserver/Documents/sumthin ssl_engine_log:[10/Oct/2002 14:30:54 26572] [info] Connection to child 0 established (server philbo.stonecruz.com:443, client 62.233.149.2) --------------------------------------------------- [philbo:/var/log/httpd] root# grep 205.150.215.204 * access_combined_log:205.150.215.204 - - [10/Oct/2002:05:21:17 -0400] "GET /sumthin HTTP/1.0" 404 201 "-" "-" access_log:205.150.215.204 - - [01/Oct/2002:12:00:39 -0400] "VERSION" 501 - access_log:205.150.215.204 - - [10/Oct/2002:05:21:17 -0400] "GET /sumthin HTTP/1.0" 404 201 error_log:[Tue Oct 1 12:00:39 2002] [error] [client 205.150.215.204] Invalid method in request VERSION error_log:[Thu Oct 10 05:21:17 2002] [error] [client 205.150.215.204] File does not exist: /home/webserver/Documents/sumthin ssl_engine_log:[01/Oct/2002 12:00:38 15149] [info] Connection to child 3 established (server philbo.stonecruz.com:443, client 205.150.215.204) ssl_engine_log:[10/Oct/2002 05:21:17 26575] [info] Connection to child 2 established (server philbo.stonecruz.com:443, client 205.150.215.204) Get your free encrypted email at https://www.hushmail.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 10:53:51 PDT