Security Incidents mailing list archives
RE: HTTP attack looking for /sumthin ?
From: "Beckett, Josh" <JBeckett () enviance com>
Date: Thu, 17 Oct 2002 12:39:27 -0700
My first thought on this was a Bot or spider, but after running the source IP's through the ol' whois routine, I came up with one sourced out of a UK ISP and the other from a University. I'd agree with one of the previous statement's that it's some sort of scanner/recon tool looking for error codes and server vulns. -----Original Message----- From: cory [mailto:loon () loadedpenguin com] Sent: Thursday, October 17, 2002 10:56 AM To: jmaywood1975 () hushmail com; incidents () securityfocus com Subject: Re: HTTP attack looking for /sumthin ? I have seen this on our servers, starting Oct 12 with 213.165.144.xxx (only one ip) and then again on the 15th from 194.236.60.xxx (also one ip) . Each time they hit they sent 5 to 6 attempts within one second, all looking in the same place. 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" (6 times in all.) All logs look identical to your post. What do we have here ? cheers, cory jmaywood1975 () hushmail com wrote:
Does anyone have any ideas what attack this might be? Below shows 4 seperate potential attacks by 3 different hosts, this is
all the activity in my logs for those three hosts, nothing more anywhere related to those three ip address.
It starts with a request for the directory /sumthin maybe tries a header exploit by sending a VERSION method? and connects ssl.
------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- HTTP attack looking for /sumthin ? jmaywood1975 (Oct 17)
- Re: HTTP attack looking for /sumthin ? cory (Oct 17)
- Re: HTTP attack looking for /sumthin ? Scott C. Kennedy (Oct 17)
- Re: HTTP attack looking for /sumthin ? H C (Oct 17)
- <Possible follow-ups>
- Re: HTTP attack looking for /sumthin ? zeno (Oct 17)
- RE: HTTP attack looking for /sumthin ? Esler, Joel (Oct 17)
- Re: HTTP attack looking for /sumthin ? Johnny Calhoun (Oct 17)
- Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
- Re: HTTP attack looking for /sumthin ? Hugo van der Kooij (Oct 18)
- Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
- Re: HTTP attack looking for /sumthin ? Fred Williams (Oct 17)
- RE: HTTP attack looking for /sumthin ? Beckett, Josh (Oct 17)
- Re: HTTP attack looking for /sumthin ? cory (Oct 17)