RE: /sumthin Revisited

From: Wolf, Glenn (glenn.wolf@we-inc.com)
Date: Mon Jan 06 2003 - 12:02:35 PST

Next message: Chris Norris: "Re: /sumthin Revisited"

Previous message: Adam Bultman: "Re: Root password changed"
Maybe in reply to: Noam Eppel: "/sumthin Revisited"
Next in thread: Chris Norris: "Re: /sumthin Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

groups.google.com is your friend:
http://lists.insecure.org/lists/incidents/2002/Oct/0161.html

Glenn


-----Original Message-----
From: Noam Eppel [mailto:noamat_private] 
Sent: Saturday, January 04, 2003 4:15 PM
To: jmaywood1975at_private; keydet89at_private; bugtraqat_private;
loonat_private; EslerJ@RCERT-S.ARMY.MIL; jcalhounat_private;
A20FBW1at_private; the_fergat_private; JBeckettat_private;
ksajat_private
Cc: webappsecat_private; incidentsat_private
Subject: /sumthin Revisited



Okay, I will go on record saying the /sumthin mystery is concerning me ;-)

The original post is here:
Subject:  HTTP attack looking for /sumthin ?
Date:  Oct 17 2002 4:55PM
Author:  <jmaywood1975at_private> 
http://online.securityfocus.com/archive/75/295738

Has anyone been able to track down what causes the /sumthin requests? I
would 
be interested to see if anyone has access to one of the computers sending
out 
the requests?

Also I am trying to collect logs of as many /sumthing requests as I can get
my 
hands on for further analysis. For those that can, please forward the
related 
logs to noamat_private!

Here are some more requests from the last few days to www.noameppel.com:

216.230.142.50 - - [02/Jan/2003:01:29:52 -0600] "GET /sumthin HTTP/1.0" 404 
640 "-" "-"
216.184.98.3 - - [02/Jan/2003:07:09:49 -0600] "GET /sumthin HTTP/1.0" 404 
638 "-" "-"
applwi01-vlan485-106.dsl.tds.net - - [03/Jan/2003:17:20:52 -
0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"
211.252.55.67 - - [03/Jan/2003:18:04:14 -0600] "GET /sumthin HTTP/1.0" 404 
639 "-" "-"
applwi01-vlan485-106.dsl.tds.net - - [04/Jan/2003:08:07:27 -
0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"

Cheers!

Noam Eppel
noamat_private
http://www.noameppel.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chris Norris: "Re: /sumthin Revisited"
Previous message: Adam Bultman: "Re: Root password changed"
Maybe in reply to: Noam Eppel: "/sumthin Revisited"
Next in thread: Chris Norris: "Re: /sumthin Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 12:29:19 PST