Security Incidents mailing list archives
Re: /sumthin Revisited
From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 7 Jan 2003 22:31:43 +0100
[Chris Norris] | Maybe it's a port 80 scanner that captures banner info. Issuing | GET /sumthin would 99.99% produce a 404 and some server info which | could be added to a database. Yes, but you could just as well have obtained the info using "HEAD /", which wouldn't show up in the error_log. The "GET /sumthin" is the fingerprint of something. A worm, a scanner or something (sumthin) completely harmless. I think Noam's goal is to find out what this fingerprint matches. And I'm quite curious myself, as I see it coming from many different IP addresses, and only for my SSL/TLS-enabled domain. Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- /sumthin Revisited Noam Eppel (Jan 06)
- Re: /sumthin Revisited Chris Barford (Jan 07)
- Re: /sumthin Revisited Chris Norris (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- Re: /sumthin Revisited Michael Katz (Jan 07)
- Re: /sumthin Revisited noconflic (Jan 08)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- <Possible follow-ups>
- RE: /sumthin Revisited Wolf, Glenn (Jan 07)
- RE: /sumthin Revisited Rob Keown (Jan 07)