Re: /sumthin Revisited

From: Chris Norris (cnorris@continental-microwave.co.uk)
Date: Tue Jan 07 2003 - 02:34:10 PST

Next message: Joe Kattner: "Re: Root password changed"

Previous message: Wolf, Glenn: "RE: /sumthin Revisited"
In reply to: Noam Eppel: "/sumthin Revisited"
Next in thread: Sverre H. Huseby: "Re: /sumthin Revisited"
Reply: Sverre H. Huseby: "Re: /sumthin Revisited"
Reply: Sverre H. Huseby: "Re: /sumthin Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Maybe it's a port 80 scanner that captures banner info. Issuing GET /sumthin
would 99.99% produce a 404 and some server info which could be added to a
database. Apart from that I can't think of any reason why this request would
be made!

Chris Norris

----- Original Message -----
From: "Noam Eppel" <noamat_private>
To: <jmaywood1975at_private>; <keydet89at_private>;
<bugtraqat_private>; <loonat_private>;
<EslerJ@RCERT-S.ARMY.MIL>; <jcalhounat_private>; <A20FBW1at_private>;
<the_fergat_private>; <JBeckettat_private>; <ksajat_private>
Cc: <webappsecat_private>; <incidentsat_private>
Sent: Sunday, January 05, 2003 12:14 AM
Subject: /sumthin Revisited


>
> Okay, I will go on record saying the /sumthin mystery is concerning me ;-)
>
> The original post is here:
> Subject:  HTTP attack looking for /sumthin ?
> Date:  Oct 17 2002 4:55PM
> Author:  <jmaywood1975at_private>
> http://online.securityfocus.com/archive/75/295738
>
> Has anyone been able to track down what causes the /sumthin requests? I
would
> be interested to see if anyone has access to one of the computers sending
out
> the requests?
>
> Also I am trying to collect logs of as many /sumthing requests as I can
get my
> hands on for further analysis. For those that can, please forward the
related
> logs to noamat_private!
>
> Here are some more requests from the last few days to www.noameppel.com:
>
> 216.230.142.50 - - [02/Jan/2003:01:29:52 -0600] "GET /sumthin HTTP/1.0"
404
> 640 "-" "-"
> 216.184.98.3 - - [02/Jan/2003:07:09:49 -0600] "GET /sumthin HTTP/1.0" 404
> 638 "-" "-"
> applwi01-vlan485-106.dsl.tds.net - - [03/Jan/2003:17:20:52 -
> 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"
> 211.252.55.67 - - [03/Jan/2003:18:04:14 -0600] "GET /sumthin HTTP/1.0" 404
> 639 "-" "-"
> applwi01-vlan485-106.dsl.tds.net - - [04/Jan/2003:08:07:27 -
> 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"
>
> Cheers!
>
> Noam Eppel
> noamat_private
> http://www.noameppel.com
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Joe Kattner: "Re: Root password changed"
Previous message: Wolf, Glenn: "RE: /sumthin Revisited"
In reply to: Noam Eppel: "/sumthin Revisited"
Next in thread: Sverre H. Huseby: "Re: /sumthin Revisited"
Reply: Sverre H. Huseby: "Re: /sumthin Revisited"
Reply: Sverre H. Huseby: "Re: /sumthin Revisited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 12:45:00 PST