Re: HTTP attack looking for /sumthin ?

["Fred Williams" <A20FBW1 () wpo cso niu edu>]

I agree, this is probably a method used to assess server responses to
help identify both the type of server and how it is configured. I think
NGS had written about this in regards to IIS..yeh here it is
http://www.nextgenss.com/papers/iisrconfig.pdf



> > > zeno <bugtraq () cgisecurity net> 10/17/02 12:55PM >>>
It is probably checking for server response, and error messages.  
Probably some banner scanner of sorts....

- zeno
 



> Does anyone have any ideas what attack this might be?
>
> Below shows 4 seperate potential attacks by 3 different hosts, this
is all the activity in my logs for those three hosts, nothing more
anywhere related to those three ip address.
> It starts with a request for the directory /sumthin
> maybe tries a header exploit by sending a VERSION method?
> and connects ssl.
>
> My googling and mailing list searches dont turn anything up about
what this might be.
> Anyone else see these hits for the /sumthin directory or know what
they might be?
> Sorry for the long lines of log and wrap.
>
> Cheers,
>
> -----------------------------------------------
> [philbo:/var/log/httpd] root# grep 205.221.242.1 *
> access_combined_log:205.221.242.1 - - [16/Oct/2002:16:14:23 -0400]
"GET /sumthin HTTP/1.0" 404 201 "-" "-"
> access_log:205.221.242.1 - - [16/Oct/2002:16:14:23 -0400] "GET
/sumthin HTTP/1.0" 404 201
> error_log:[Wed Oct 16 16:14:23 2002] [error] [client 205.221.242.1]
File does not exist: /home/webserver/Documents/sumthin
> ssl_engine_log:[16/Oct/2002 16:14:23 26577] [info]  Connection to
child 4 established (server philbo.stonecruz.com:443, client
205.221.242.1)
> -------------------------------------------------
> [philbo:/var/log/httpd] root# grep 62.233.149.2 *
> access_combined_log:62.233.149.2 - - [10/Oct/2002:14:30:55 -0400]
"GET /sumthin HTTP/1.0" 404 201 "-" "-"
> access_log:62.233.149.2 - - [10/Oct/2002:14:30:55 -0400] "GET
/sumthin HTTP/1.0" 404 201
> error_log:[Thu Oct 10 14:30:55 2002] [error] [client 62.233.149.2]
File does not exist: /home/webserver/Documents/sumthin
> ssl_engine_log:[10/Oct/2002 14:30:54 26572] [info]  Connection to
child 0 established (server philbo.stonecruz.com:443, client
62.233.149.2)
> ---------------------------------------------------
> [philbo:/var/log/httpd] root# grep 205.150.215.204 *
> access_combined_log:205.150.215.204 - - [10/Oct/2002:05:21:17 -0400]
"GET /sumthin HTTP/1.0" 404 201 "-" "-"
> access_log:205.150.215.204 - - [01/Oct/2002:12:00:39 -0400] "VERSION"
501 -
> access_log:205.150.215.204 - - [10/Oct/2002:05:21:17 -0400] "GET
/sumthin HTTP/1.0" 404 201
> error_log:[Tue Oct  1 12:00:39 2002] [error] [client 205.150.215.204]
Invalid method in request VERSION
> error_log:[Thu Oct 10 05:21:17 2002] [error] [client 205.150.215.204]
File does not exist: /home/webserver/Documents/sumthin
> ssl_engine_log:[01/Oct/2002 12:00:38 15149] [info]  Connection to
child 3 established (server philbo.stonecruz.com:443, client
205.150.215.204)
> ssl_engine_log:[10/Oct/2002 05:21:17 26575] [info]  Connection to
child 2 established (server philbo.stonecruz.com:443, client
205.150.215.204)
> Get your free encrypted email at https://www.hushmail.com 
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com