Security Incidents mailing list archives
Re: HTTP attack looking for /sumthin ?
From: "Scott C. Kennedy" <sck () infosyscorp com>
Date: Thu, 17 Oct 2002 15:27:02 -0700
Odd, I have seen this only two times since Aug 31st on any of our servers, both on Oct 13th. At 10:06:27 AM for 11 secs, a GTE net DSL host 66.13.116.* probed 36 different sites for this file. And again at 15:34:42 for 9 secs, a host registered as 'www.*.com' in 209.98.111.* also probed the same 36 sites. I checked all sensors to see if these hosts had sent any other packets into our network or were sent anything, and just got those HTTP connections for "/sumthin" Scott cory wrote:
I have seen this on our servers, starting Oct 12 with 213.165.144.xxx (only one ip) and then again on the 15th from 194.236.60.xxx (also one ip) . jmaywood1975 () hushmail com wrote:Does anyone have any ideas what attack this might be? Below shows 4 seperate potential attacks by 3 different hosts, this is all the activity in my logs for those three hosts, nothing more anywhere related to those three ip address. It starts with a request for the directory /sumthin maybe tries a header exploit by sending a VERSION method? and connects ssl.
Scott C. Kennedy Lead Security Architect/ Director of Security Infosys Corporation Work: (877) 772-2347 PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- HTTP attack looking for /sumthin ? jmaywood1975 (Oct 17)
- Re: HTTP attack looking for /sumthin ? cory (Oct 17)
- Re: HTTP attack looking for /sumthin ? Scott C. Kennedy (Oct 17)
- Re: HTTP attack looking for /sumthin ? H C (Oct 17)
- <Possible follow-ups>
- Re: HTTP attack looking for /sumthin ? zeno (Oct 17)
- RE: HTTP attack looking for /sumthin ? Esler, Joel (Oct 17)
- Re: HTTP attack looking for /sumthin ? Johnny Calhoun (Oct 17)
- Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
- Re: HTTP attack looking for /sumthin ? Hugo van der Kooij (Oct 18)
- Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
- Re: HTTP attack looking for /sumthin ? Fred Williams (Oct 17)
- RE: HTTP attack looking for /sumthin ? Beckett, Josh (Oct 17)
- Re: HTTP attack looking for /sumthin ? cory (Oct 17)