Re: /sumthin Revisited

["Sverre H. Huseby" <shh () thathost com>]

I'm adding some info to my previous reply:

I queried the Server header of the 30 different IPs (only two have
visited me twice) that have sumthin'ed me since 2002-10-12.  21 of
them replied as follows, the rest didn't respond:

Squid/2.4.STABLE7
Squid/2.4.STABLE7
Apache/1.3.27 (Unix) PHP/4.3.0

Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 OpenSSL/0.9.6 PHP/4.0.4pl1
Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.6
Apache-AdvancedExtranetServer/1.3.22 (Mandrake Linux/10.2mdk) mod_ssl/2.8.5 OpenSSL/0.9.6b PHP/4.0.6
Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk) tomcat/1.0 mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2 
mod_jk/1.1.0
Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a DAV/1.0.1 PHP/4.0.1pl2 mod_perl/1.24
Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a PHP/4.0.1pl2 mod_perl/1.24
Apache/1.3.14 (Unix)  (Red-Hat/Linux) mod_ssl/2.7.1 OpenSSL/0.9.5a PHP/4.0.4pl1 mod_perl/1.24
Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01
Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01
Apache/1.3.22 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.24_01
Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 
mod_perl/1.26 mod_throttle/3.1.2
Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 
mod_perl/1.26 mod_throttle/3.1.2
Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26
Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26

Except for the three mentioned first, all the rest announce themselves
as Apache web servers that have known vulnerabilities, and OpenSSL
versions with same (they are not vulnerable if the vulnerabilities
have been patched).  I know nothing about the other modules they have
in common.

Several of the web servers just show the Apache Test Page when I visit
them in my browser.

Of course, this little sample need not mean anything.  But I find it
somewhat strange that all requests come from typical Unix/Linux
machines, of which most may have known vulnerabilities.

I'm still very curious as to what this li'l sumthin might be.  Why did
it start in october 2002 for my part (I have logs from february)?  Why
did it only visit my https-enabled domain?  Is it just another
favicon.ico, which stirred some people up some time ago when Microsoft
"invented" it?  Is it a GET-request sample from some book?  Is it an
unknown, slow-moving worm?  A scanner?  A manual exploit?  A
misspelling that suddenly got popular?  Hopefully, time will show.


Sverre.

-- 
shh () thathost com             Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/        http://nerdquiz.thathost.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com