[Chris Norris] | Maybe it's a port 80 scanner that captures banner info. Issuing | GET /sumthin would 99.99% produce a 404 and some server info which | could be added to a database. Yes, but you could just as well have obtained the info using "HEAD /", which wouldn't show up in the error_log. The "GET /sumthin" is the fingerprint of something. A worm, a scanner or something (sumthin) completely harmless. I think Noam's goal is to find out what this fingerprint matches. And I'm quite curious myself, as I see it coming from many different IP addresses, and only for my SSL/TLS-enabled domain. Sverre. -- shhat_private Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 14:15:07 PST