Maybe it's a port 80 scanner that captures banner info. Issuing GET /sumthin would 99.99% produce a 404 and some server info which could be added to a database. Apart from that I can't think of any reason why this request would be made! Chris Norris ----- Original Message ----- From: "Noam Eppel" <noamat_private> To: <jmaywood1975at_private>; <keydet89at_private>; <bugtraqat_private>; <loonat_private>; <EslerJ@RCERT-S.ARMY.MIL>; <jcalhounat_private>; <A20FBW1at_private>; <the_fergat_private>; <JBeckettat_private>; <ksajat_private> Cc: <webappsecat_private>; <incidentsat_private> Sent: Sunday, January 05, 2003 12:14 AM Subject: /sumthin Revisited > > Okay, I will go on record saying the /sumthin mystery is concerning me ;-) > > The original post is here: > Subject: HTTP attack looking for /sumthin ? > Date: Oct 17 2002 4:55PM > Author: <jmaywood1975at_private> > http://online.securityfocus.com/archive/75/295738 > > Has anyone been able to track down what causes the /sumthin requests? I would > be interested to see if anyone has access to one of the computers sending out > the requests? > > Also I am trying to collect logs of as many /sumthing requests as I can get my > hands on for further analysis. For those that can, please forward the related > logs to noamat_private! > > Here are some more requests from the last few days to www.noameppel.com: > > 216.230.142.50 - - [02/Jan/2003:01:29:52 -0600] "GET /sumthin HTTP/1.0" 404 > 640 "-" "-" > 216.184.98.3 - - [02/Jan/2003:07:09:49 -0600] "GET /sumthin HTTP/1.0" 404 > 638 "-" "-" > applwi01-vlan485-106.dsl.tds.net - - [03/Jan/2003:17:20:52 - > 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-" > 211.252.55.67 - - [03/Jan/2003:18:04:14 -0600] "GET /sumthin HTTP/1.0" 404 > 639 "-" "-" > applwi01-vlan485-106.dsl.tds.net - - [04/Jan/2003:08:07:27 - > 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-" > > Cheers! > > Noam Eppel > noamat_private > http://www.noameppel.com > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 12:45:00 PST