Security Incidents mailing list archives
Re: HTTP attack looking for /sumthin ?
From: Patrick Oonk <patrick.oonk () pine nl>
Date: Fri, 18 Oct 2002 10:35:34 +0200
On Thu, Oct 17, 2002 at 07:37:29PM -0400, Johnny Calhoun wrote:
This looks to be a banner grabbing attempt on your webservers. Alot of scanners/worms will do this in an attempt to find out what type of web server you are running and compare it against a list of vulnerable servers for some particular exploit. The `"/sumthin" is placed within the GET command to
[root@calsys root]# telnet 127.0.0.1 80
Notice how it revealed the Web Server type, Version and OS it runs on.
Add the lines ServerTokens prod ServerSignature no to your Apache config (httpd.conf) to prevent the server from disclosing this information. -- Patrick Oonk - Pine Digital Security - patrick.oonk () pine nl T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF Excuse of the day: User was distributing pornography on server; system seized by FBI. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- HTTP attack looking for /sumthin ? jmaywood1975 (Oct 17)
- Re: HTTP attack looking for /sumthin ? cory (Oct 17)
- Re: HTTP attack looking for /sumthin ? Scott C. Kennedy (Oct 17)
- Re: HTTP attack looking for /sumthin ? H C (Oct 17)
- <Possible follow-ups>
- Re: HTTP attack looking for /sumthin ? zeno (Oct 17)
- RE: HTTP attack looking for /sumthin ? Esler, Joel (Oct 17)
- Re: HTTP attack looking for /sumthin ? Johnny Calhoun (Oct 17)
- Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
- Re: HTTP attack looking for /sumthin ? Hugo van der Kooij (Oct 18)
- Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
- Re: HTTP attack looking for /sumthin ? Fred Williams (Oct 17)
- RE: HTTP attack looking for /sumthin ? Beckett, Josh (Oct 17)
- Re: HTTP attack looking for /sumthin ? cory (Oct 17)