Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: /sumthin Revisited

From: "Chris Norris" <cnorris () continental-microwave co uk>
Date: Tue, 7 Jan 2003 10:34:10 -0000
Maybe it's a port 80 scanner that captures banner info. Issuing GET /sumthin
would 99.99% produce a 404 and some server info which could be added to a
database. Apart from that I can't think of any reason why this request would
be made!

Chris Norris

----- Original Message -----
From: "Noam Eppel" <noam () noameppel com>
To: <jmaywood1975 () hushmail com>; <keydet89 () yahoo com>;
<bugtraq () cgisecurity net>; <loon () loadedpenguin com>;
<EslerJ () RCERT-S ARMY MIL>; <jcalhoun () lurhq com>; <A20FBW1 () wpo cso niu edu>;
<the_ferg () hotmail com>; <JBeckett () enviance com>; <ksaj () penetrationtest com>
Cc: <webappsec () securityfocus com>; <incidents () securityfocus com>
Sent: Sunday, January 05, 2003 12:14 AM
Subject: /sumthin Revisited




Okay, I will go on record saying the /sumthin mystery is concerning me ;-)

The original post is here:
Subject:  HTTP attack looking for /sumthin ?
Date:  Oct 17 2002 4:55PM
Author:  <jmaywood1975 () hushmail com>
http://online.securityfocus.com/archive/75/295738

Has anyone been able to track down what causes the /sumthin requests? I

would

be interested to see if anyone has access to one of the computers sending

out

the requests?

Also I am trying to collect logs of as many /sumthing requests as I can

get my

hands on for further analysis. For those that can, please forward the

related

logs to noam () noameppel com!

Here are some more requests from the last few days to www.noameppel.com:

216.230.142.50 - - [02/Jan/2003:01:29:52 -0600] "GET /sumthin HTTP/1.0"

404

640 "-" "-"
216.184.98.3 - - [02/Jan/2003:07:09:49 -0600] "GET /sumthin HTTP/1.0" 404
638 "-" "-"
applwi01-vlan485-106.dsl.tds.net - - [03/Jan/2003:17:20:52 -
0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"
211.252.55.67 - - [03/Jan/2003:18:04:14 -0600] "GET /sumthin HTTP/1.0" 404
639 "-" "-"
applwi01-vlan485-106.dsl.tds.net - - [04/Jan/2003:08:07:27 -
0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"

Cheers!

Noam Eppel
noam () noameppel com
http://www.noameppel.com

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: