What makes you think it's an attack? --- jmaywood1975at_private wrote: > > Does anyone have any ideas what attack this might > be? > > Below shows 4 seperate potential attacks by 3 > different hosts, this is all the activity in my logs > for those three hosts, nothing more anywhere related > to those three ip address. > > It starts with a request for the directory /sumthin > maybe tries a header exploit by sending a VERSION > method? > and connects ssl. > > My googling and mailing list searches dont turn > anything up about what this might be. > > Anyone else see these hits for the /sumthin > directory or know what they might be? > > Sorry for the long lines of log and wrap. > > Cheers, > > ----------------------------------------------- > [philbo:/var/log/httpd] root# grep 205.221.242.1 * > access_combined_log:205.221.242.1 - - > [16/Oct/2002:16:14:23 -0400] "GET /sumthin HTTP/1.0" > 404 201 "-" "-" > > access_log:205.221.242.1 - - [16/Oct/2002:16:14:23 > -0400] "GET /sumthin HTTP/1.0" 404 201 > > error_log:[Wed Oct 16 16:14:23 2002] [error] [client > 205.221.242.1] File does not exist: > /home/webserver/Documents/sumthin > > ssl_engine_log:[16/Oct/2002 16:14:23 26577] [info] > Connection to child 4 established (server > philbo.stonecruz.com:443, client 205.221.242.1) > > ------------------------------------------------- > [philbo:/var/log/httpd] root# grep 62.233.149.2 * > access_combined_log:62.233.149.2 - - > [10/Oct/2002:14:30:55 -0400] "GET /sumthin HTTP/1.0" > 404 201 "-" "-" > > access_log:62.233.149.2 - - [10/Oct/2002:14:30:55 > -0400] "GET /sumthin HTTP/1.0" 404 201 > > error_log:[Thu Oct 10 14:30:55 2002] [error] [client > 62.233.149.2] File does not exist: > /home/webserver/Documents/sumthin > > ssl_engine_log:[10/Oct/2002 14:30:54 26572] [info] > Connection to child 0 established (server > philbo.stonecruz.com:443, client 62.233.149.2) > > --------------------------------------------------- > [philbo:/var/log/httpd] root# grep 205.150.215.204 * > access_combined_log:205.150.215.204 - - > [10/Oct/2002:05:21:17 -0400] "GET /sumthin HTTP/1.0" > 404 201 "-" "-" > > access_log:205.150.215.204 - - [01/Oct/2002:12:00:39 > -0400] "VERSION" 501 - > > access_log:205.150.215.204 - - [10/Oct/2002:05:21:17 > -0400] "GET /sumthin HTTP/1.0" 404 201 > > error_log:[Tue Oct 1 12:00:39 2002] [error] [client > 205.150.215.204] Invalid method in request VERSION > > error_log:[Thu Oct 10 05:21:17 2002] [error] [client > 205.150.215.204] File does not exist: > /home/webserver/Documents/sumthin > > ssl_engine_log:[01/Oct/2002 12:00:38 15149] [info] > Connection to child 3 established (server > philbo.stonecruz.com:443, client 205.150.215.204) > > ssl_engine_log:[10/Oct/2002 05:21:17 26575] [info] > Connection to child 2 established (server > philbo.stonecruz.com:443, client 205.150.215.204) > > > > > > Get your free encrypted email at > https://www.hushmail.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 17 2002 - 16:06:38 PDT