Security Incidents mailing list archives
RE: /sumthin Revisited
From: "Jonathan A. Zdziarski" <jonathan () networkdweebs com>
Date: Tue, 7 Jan 2003 17:25:44 -0500
Well whatever it is, it is obviously only interested in the web server itself and not individual websites; this is evident by the HTTP/1.0 header, which will always reference the default documents on the system, and not a virtual host. I've been grepping through some scanners lately and haven't been able to find 'sumthin' in any of them; so far checked nmap, webvulnscan, nikto, and a few others. The HTTP/1.0 tells me though that this tool is designed to do what everyone has already come to for a conclusion; check server version/module inforamtion.
-----Original Message----- From: Sverre H. Huseby [mailto:shh () thathost com] Sent: Tuesday, January 07, 2003 4:32 PM To: Chris Norris Cc: incidents () securityfocus com; Noam Eppel Subject: Re: /sumthin Revisited [Chris Norris] | Maybe it's a port 80 scanner that captures banner info. Issuing | GET /sumthin would 99.99% produce a 404 and some server info which | could be added to a database. Yes, but you could just as well have obtained the info using "HEAD /", which wouldn't show up in the error_log. The "GET /sumthin" is the fingerprint of something. A worm, a scanner or something (sumthin) completely harmless. I think Noam's goal is to find out what this fingerprint matches. And I'm quite curious myself, as I see it coming from many different IP addresses, and only for my SSL/TLS-enabled domain. Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/ -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- /sumthin Revisited Noam Eppel (Jan 06)
- Re: /sumthin Revisited Chris Barford (Jan 07)
- Re: /sumthin Revisited Chris Norris (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- Re: /sumthin Revisited Michael Katz (Jan 07)
- Re: /sumthin Revisited noconflic (Jan 08)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- <Possible follow-ups>
- RE: /sumthin Revisited Wolf, Glenn (Jan 07)
- RE: /sumthin Revisited Rob Keown (Jan 07)