Re: /sumthin Revisited

From: Chris Barford (C.Barfordat_private)
Date: Mon Jan 06 2003 - 13:35:23 PST

Next message: sysadmin: "Re: Root password changed"

Previous message: Chris Barford: "Re: Root password changed"
In reply to: Noam Eppel: "/sumthin Revisited"
Next in thread: Wolf, Glenn: "RE: /sumthin Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I can't confirm this but I would guess this would be a good way to get the http 
headers of websites. Perhaps then following this a potential hacker could see 
you were for example running IIS 5.0 and in subsequent scans check for the 
unicode exploits. Or a more likely cause would be to get a list of apache 
servers to try to use the openssl-too-open exploits against

Perhaps the actual scanner is wanting a 404 page to compare against its 
database so that if the http reply headers have been altered it can get more 
information anyway. Altho that is pure speculation on my part


Quoting Noam Eppel <noamat_private>:

> 
> Okay, I will go on record saying the /sumthin mystery is concerning me ;-)
> 
> The original post is here:
> Subject:  HTTP attack looking for /sumthin ?
> Date:  Oct 17 2002 4:55PM
> Author:  <jmaywood1975at_private> 
> http://online.securityfocus.com/archive/75/295738
> 
> Has anyone been able to track down what causes the /sumthin requests? I would
> 
> be interested to see if anyone has access to one of the computers sending out
> 
> the requests?
> 
> Also I am trying to collect logs of as many /sumthing requests as I can get
> my 
> hands on for further analysis. For those that can, please forward the related
> 
> logs to noamat_private!
> 
> Here are some more requests from the last few days to www.noameppel.com:
> 
> 216.230.142.50 - - [02/Jan/2003:01:29:52 -0600] "GET /sumthin HTTP/1.0" 404 
> 640 "-" "-"
> 216.184.98.3 - - [02/Jan/2003:07:09:49 -0600] "GET /sumthin HTTP/1.0" 404 
> 638 "-" "-"
> applwi01-vlan485-106.dsl.tds.net - - [03/Jan/2003:17:20:52 -
> 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"
> 211.252.55.67 - - [03/Jan/2003:18:04:14 -0600] "GET /sumthin HTTP/1.0" 404 
> 639 "-" "-"
> applwi01-vlan485-106.dsl.tds.net - - [04/Jan/2003:08:07:27 -
> 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"
> 
> Cheers!
> 
> Noam Eppel
> noamat_private
> http://www.noameppel.com
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: sysadmin: "Re: Root password changed"
Previous message: Chris Barford: "Re: Root password changed"
In reply to: Noam Eppel: "/sumthin Revisited"
Next in thread: Wolf, Glenn: "RE: /sumthin Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 11:40:56 PST