Security Incidents mailing list archives

Re: /sumthin Revisited

From: Chris Barford <C.Barford () student umist ac uk>
Date: Mon, 6 Jan 2003 21:35:23 +0000

I can't confirm this but I would guess this would be a good way to get the http 
headers of websites. Perhaps then following this a potential hacker could see 
you were for example running IIS 5.0 and in subsequent scans check for the 
unicode exploits. Or a more likely cause would be to get a list of apache 
servers to try to use the openssl-too-open exploits against

Perhaps the actual scanner is wanting a 404 page to compare against its 
database so that if the http reply headers have been altered it can get more 
information anyway. Altho that is pure speculation on my part


Quoting Noam Eppel <noam () noameppel com>:

Okay, I will go on record saying the /sumthin mystery is concerning me ;-)

The original post is here:
Subject:  HTTP attack looking for /sumthin ?
Date:  Oct 17 2002 4:55PM
Author:  <jmaywood1975 () hushmail com> 
http://online.securityfocus.com/archive/75/295738

Has anyone been able to track down what causes the /sumthin requests? I would

be interested to see if anyone has access to one of the computers sending out

the requests?

Also I am trying to collect logs of as many /sumthing requests as I can get
my 
hands on for further analysis. For those that can, please forward the related

logs to noam () noameppel com!

Here are some more requests from the last few days to www.noameppel.com:

216.230.142.50 - - [02/Jan/2003:01:29:52 -0600] "GET /sumthin HTTP/1.0" 404 
640 "-" "-"
216.184.98.3 - - [02/Jan/2003:07:09:49 -0600] "GET /sumthin HTTP/1.0" 404 
638 "-" "-"
applwi01-vlan485-106.dsl.tds.net - - [03/Jan/2003:17:20:52 -
0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"
211.252.55.67 - - [03/Jan/2003:18:04:14 -0600] "GET /sumthin HTTP/1.0" 404 
639 "-" "-"
applwi01-vlan485-106.dsl.tds.net - - [04/Jan/2003:08:07:27 -
0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"

Cheers!

Noam Eppel
noam () noameppel com
http://www.noameppel.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

/sumthin Revisited Noam Eppel (Jan 06)
- Re: /sumthin Revisited Chris Barford (Jan 07)
- Re: /sumthin Revisited Chris Norris (Jan 07)
  - Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
    - RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
    - RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
  - Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
    - Re: /sumthin Revisited Michael Katz (Jan 07)
    - Re: /sumthin Revisited noconflic (Jan 08)
    - RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- <Possible follow-ups>
- RE: /sumthin Revisited Wolf, Glenn (Jan 07)
- RE: /sumthin Revisited Rob Keown (Jan 07)