Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP attack looking for /sumthin ?

From: cory <loon () loadedpenguin com>
Date: Thu, 17 Oct 2002 12:56:14 -0500
I have seen this on our servers, starting Oct 12 with 213.165.144.xxx (only one ip) and then again on the 15th from 194.236.60.xxx (also one ip) .
Each time they hit they sent 5 to 6 attempts within one second, all looking in the same place.
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 
(6 times in all.)

All logs look identical to your post.
What do we have here ?

cheers,
cory




jmaywood1975 () hushmail com wrote:


Does anyone have any ideas what attack this might be?

Below shows 4 seperate potential attacks by 3 different hosts, this is all the activity in my logs for those three 
hosts, nothing more anywhere related to those three ip address.

It starts with a request for the directory /sumthin
maybe tries a header exploit by sending a VERSION method?
and connects ssl.







----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: