Security Incidents mailing list archives

RE: /sumthin Revisited

From: "Jonathan A. Zdziarski" <jonathan () networkdweebs com>
Date: Tue, 7 Jan 2003 17:25:44 -0500

Well whatever it is, it is obviously only interested in the web server
itself and not individual websites; this is evident by the HTTP/1.0
header, which will always reference the default documents on the system,
and not a virtual host.

I've been grepping through some scanners lately and haven't been able to
find 'sumthin' in any of them; so far checked nmap, webvulnscan, nikto,
and a few others.  The HTTP/1.0 tells me though that this tool is
designed to do what everyone has already come to for a conclusion; check
server version/module inforamtion.

-----Original Message-----
From: Sverre H. Huseby [mailto:shh () thathost com] 
Sent: Tuesday, January 07, 2003 4:32 PM
To: Chris Norris
Cc: incidents () securityfocus com; Noam Eppel
Subject: Re: /sumthin Revisited

[Chris Norris]

|   Maybe it's a port 80 scanner that captures banner info. Issuing
|   GET /sumthin would 99.99% produce a 404 and some server info which
|   could be added to a database.

Yes, but you could just as well have obtained the info using 
"HEAD /", which wouldn't show up in the error_log.

The "GET /sumthin" is the fingerprint of something.  A worm, 
a scanner or something (sumthin) completely harmless.  I 
think Noam's goal is to find out what this fingerprint 
matches.  And I'm quite curious myself, as I see it coming 
from many different IP addresses, and only for my 
SSL/TLS-enabled domain.

Sverre.

-- 
shh () thathost com           Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/      http://nerdquiz.thathost.com/

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer 
service. For more information on this free incident handling, 
management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

/sumthin Revisited Noam Eppel (Jan 06)
- Re: /sumthin Revisited Chris Barford (Jan 07)
- Re: /sumthin Revisited Chris Norris (Jan 07)
  - Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
    - RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
    - RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
  - Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
    - Re: /sumthin Revisited Michael Katz (Jan 07)
    - Re: /sumthin Revisited noconflic (Jan 08)
    - RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- <Possible follow-ups>
- RE: /sumthin Revisited Wolf, Glenn (Jan 07)
- RE: /sumthin Revisited Rob Keown (Jan 07)