I typed in the IP address of the machine that scanned one of my machines for /sumthin and it turned out to be another web server for 'Jang Cyuang Enterise Co., LTD.'. I emailed them asking if they had a tool that performs these scans, waiting for a reply. This could very well be a new worm looking for vulnerable hosts, and if it is, this company's web server is apache 1.3.12, so it may be an old vulnerability. > -----Original Message----- > From: Sverre H. Huseby [mailto:shhat_private] > Sent: Tuesday, January 07, 2003 4:32 PM > To: Chris Norris > Cc: incidentsat_private; Noam Eppel > Subject: Re: /sumthin Revisited > > > [Chris Norris] > > | Maybe it's a port 80 scanner that captures banner info. Issuing > | GET /sumthin would 99.99% produce a 404 and some server info which > | could be added to a database. > > Yes, but you could just as well have obtained the info using > "HEAD /", which wouldn't show up in the error_log. > > The "GET /sumthin" is the fingerprint of something. A worm, > a scanner or something (sumthin) completely harmless. I > think Noam's goal is to find out what this fingerprint > matches. And I'm quite curious myself, as I see it coming > from many different IP addresses, and only for my > SSL/TLS-enabled domain. > > > Sverre. > > -- > shhat_private Computer Geek? Try my Nerd Quiz > http://shh.thathost.com/ http://nerdquiz.thathost.com/ > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 15:42:48 PST