Security Incidents mailing list archives

Re: /sumthin Revisited

From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 7 Jan 2003 22:31:43 +0100

[Chris Norris]

|   Maybe it's a port 80 scanner that captures banner info. Issuing
|   GET /sumthin would 99.99% produce a 404 and some server info which
|   could be added to a database.

Yes, but you could just as well have obtained the info using "HEAD /",
which wouldn't show up in the error_log.

The "GET /sumthin" is the fingerprint of something.  A worm, a scanner
or something (sumthin) completely harmless.  I think Noam's goal is to
find out what this fingerprint matches.  And I'm quite curious myself,
as I see it coming from many different IP addresses, and only for my
SSL/TLS-enabled domain.


Sverre.

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

/sumthin Revisited Noam Eppel (Jan 06)
- Re: /sumthin Revisited Chris Barford (Jan 07)
- Re: /sumthin Revisited Chris Norris (Jan 07)
  - Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
    - RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
    - RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
  - Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
    - Re: /sumthin Revisited Michael Katz (Jan 07)
    - Re: /sumthin Revisited noconflic (Jan 08)
    - RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- <Possible follow-ups>
- RE: /sumthin Revisited Wolf, Glenn (Jan 07)
- RE: /sumthin Revisited Rob Keown (Jan 07)