Security Incidents mailing list archives
Re: /sumthin Revisited
From: Chris Barford <C.Barford () student umist ac uk>
Date: Mon, 6 Jan 2003 21:35:23 +0000
I can't confirm this but I would guess this would be a good way to get the http headers of websites. Perhaps then following this a potential hacker could see you were for example running IIS 5.0 and in subsequent scans check for the unicode exploits. Or a more likely cause would be to get a list of apache servers to try to use the openssl-too-open exploits against Perhaps the actual scanner is wanting a 404 page to compare against its database so that if the http reply headers have been altered it can get more information anyway. Altho that is pure speculation on my part Quoting Noam Eppel <noam () noameppel com>:
Okay, I will go on record saying the /sumthin mystery is concerning me ;-) The original post is here: Subject: HTTP attack looking for /sumthin ? Date: Oct 17 2002 4:55PM Author: <jmaywood1975 () hushmail com> http://online.securityfocus.com/archive/75/295738 Has anyone been able to track down what causes the /sumthin requests? I would be interested to see if anyone has access to one of the computers sending out the requests? Also I am trying to collect logs of as many /sumthing requests as I can get my hands on for further analysis. For those that can, please forward the related logs to noam () noameppel com! Here are some more requests from the last few days to www.noameppel.com: 216.230.142.50 - - [02/Jan/2003:01:29:52 -0600] "GET /sumthin HTTP/1.0" 404 640 "-" "-" 216.184.98.3 - - [02/Jan/2003:07:09:49 -0600] "GET /sumthin HTTP/1.0" 404 638 "-" "-" applwi01-vlan485-106.dsl.tds.net - - [03/Jan/2003:17:20:52 - 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-" 211.252.55.67 - - [03/Jan/2003:18:04:14 -0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-" applwi01-vlan485-106.dsl.tds.net - - [04/Jan/2003:08:07:27 - 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-" Cheers! Noam Eppel noam () noameppel com http://www.noameppel.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- /sumthin Revisited Noam Eppel (Jan 06)
- Re: /sumthin Revisited Chris Barford (Jan 07)
- Re: /sumthin Revisited Chris Norris (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- Re: /sumthin Revisited Michael Katz (Jan 07)
- Re: /sumthin Revisited noconflic (Jan 08)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- <Possible follow-ups>
- RE: /sumthin Revisited Wolf, Glenn (Jan 07)
- RE: /sumthin Revisited Rob Keown (Jan 07)