Re: HTTP attack looking for /sumthin ?

["Scott C. Kennedy" <sck () infosyscorp com>]

Odd, I have seen this only two times since Aug 31st on any of our servers,
both on Oct 13th.

At 10:06:27 AM for 11 secs, a GTE net DSL host 66.13.116.* probed 36 different
sites for this file.

And again at 15:34:42 for 9 secs, a  host registered as 'www.*.com' in 209.98.111.*
also probed the same 36 sites.

I checked all sensors to see if these hosts had sent any other packets into
our network or were sent anything, and just got those HTTP connections
for "/sumthin"

Scott

cory wrote:

> I have seen this on our servers, starting Oct 12 with 213.165.144.xxx
> (only one ip) and then again on the 15th from 194.236.60.xxx (also one
> ip) .
>
> jmaywood1975 () hushmail com wrote:
>
> > Does anyone have any ideas what attack this might be?
> >
> > Below shows 4 seperate potential attacks by 3 different hosts, this is all the activity in my logs for those three 
> > hosts, nothing more anywhere related to those three ip address.
> >
> > It starts with a request for the directory /sumthin
> > maybe tries a header exploit by sending a VERSION method?
> > and connects ssl.

 Scott C. Kennedy
 Lead Security Architect/ Director of Security
 Infosys Corporation
 Work: (877) 772-2347
 PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com