I have seen this on our servers, starting Oct 12 with 213.165.144.xxx (only one ip) and then again on the 15th from 194.236.60.xxx (also one ip) . Each time they hit they sent 5 to 6 attempts within one second, all looking in the same place. 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" (6 times in all.) All logs look identical to your post. What do we have here ? cheers, cory jmaywood1975at_private wrote: >Does anyone have any ideas what attack this might be? > >Below shows 4 seperate potential attacks by 3 different hosts, this is all the activity in my logs for those three hosts, nothing more anywhere related to those three ip address. > >It starts with a request for the directory /sumthin >maybe tries a header exploit by sending a VERSION method? >and connects ssl. > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 12:18:30 PDT