RE: HTTP attack looking for /sumthin ?

From: Esler, Joel (EslerJ@RCERT-S.ARMY.MIL)
Date: Thu Oct 17 2002 - 12:30:46 PDT

Next message: Nick FitzGerald: "Re: Source of Windows PopUp SPAM"

Previous message: daniel.robertsat_private: "Linux Kernel Exploits / ABFrag"
Maybe in reply to: jmaywood1975at_private: "HTTP attack looking for /sumthin ?"
Next in thread: H C: "Re: HTTP attack looking for /sumthin ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Looks like a automated scan, looking for active web servers.  Are the IP's
sequential?  How about on Source?  are they sequentialized ports?



-----Original Message-----
From: cory [mailto:loonat_private]
Sent: Thursday, October 17, 2002 1:56 PM
To: jmaywood1975at_private; incidentsat_private
Subject: Re: HTTP attack looking for /sumthin ?


I have seen this on our servers, starting Oct 12 with 213.165.144.xxx 
(only one ip) and then again on the 15th from 194.236.60.xxx (also one 
ip) .

Each time they hit they sent 5 to 6 attempts within one second, all 
looking in the same place.

213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
(6 times in all.)

All logs look identical to your post.
What do we have here ?

cheers,
cory




jmaywood1975at_private wrote:

>Does anyone have any ideas what attack this might be?
>
>Below shows 4 seperate potential attacks by 3 different hosts, this is all
the activity in my logs for those three hosts, nothing more anywhere related
to those three ip address.
>
>It starts with a request for the directory /sumthin
>maybe tries a header exploit by sending a VERSION method?
>and connects ssl.
>
> 
>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick FitzGerald: "Re: Source of Windows PopUp SPAM"
Previous message: daniel.robertsat_private: "Linux Kernel Exploits / ABFrag"
Maybe in reply to: jmaywood1975at_private: "HTTP attack looking for /sumthin ?"
Next in thread: H C: "Re: HTTP attack looking for /sumthin ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 15:28:32 PDT