I'm adding some info to my previous reply: I queried the Server header of the 30 different IPs (only two have visited me twice) that have sumthin'ed me since 2002-10-12. 21 of them replied as follows, the rest didn't respond: Squid/2.4.STABLE7 Squid/2.4.STABLE7 Apache/1.3.27 (Unix) PHP/4.3.0 Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 OpenSSL/0.9.6 PHP/4.0.4pl1 Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.6 Apache-AdvancedExtranetServer/1.3.22 (Mandrake Linux/10.2mdk) mod_ssl/2.8.5 OpenSSL/0.9.6b PHP/4.0.6 Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk) tomcat/1.0 mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2 mod_jk/1.1.0 Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a DAV/1.0.1 PHP/4.0.1pl2 mod_perl/1.24 Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a PHP/4.0.1pl2 mod_perl/1.24 Apache/1.3.14 (Unix) (Red-Hat/Linux) mod_ssl/2.7.1 OpenSSL/0.9.5a PHP/4.0.4pl1 mod_perl/1.24 Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.24_01 Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2 Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2 Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 Except for the three mentioned first, all the rest announce themselves as Apache web servers that have known vulnerabilities, and OpenSSL versions with same (they are not vulnerable if the vulnerabilities have been patched). I know nothing about the other modules they have in common. Several of the web servers just show the Apache Test Page when I visit them in my browser. Of course, this little sample need not mean anything. But I find it somewhat strange that all requests come from typical Unix/Linux machines, of which most may have known vulnerabilities. I'm still very curious as to what this li'l sumthin might be. Why did it start in october 2002 for my part (I have logs from february)? Why did it only visit my https-enabled domain? Is it just another favicon.ico, which stirred some people up some time ago when Microsoft "invented" it? Is it a GET-request sample from some book? Is it an unknown, slow-moving worm? A scanner? A manual exploit? A misspelling that suddenly got popular? Hopefully, time will show. Sverre. -- shhat_private Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 14:31:12 PST