Security Incidents mailing list archives
Re: /sumthin Revisited
From: "Chris Norris" <cnorris () continental-microwave co uk>
Date: Tue, 7 Jan 2003 10:34:10 -0000
Maybe it's a port 80 scanner that captures banner info. Issuing GET /sumthin would 99.99% produce a 404 and some server info which could be added to a database. Apart from that I can't think of any reason why this request would be made! Chris Norris ----- Original Message ----- From: "Noam Eppel" <noam () noameppel com> To: <jmaywood1975 () hushmail com>; <keydet89 () yahoo com>; <bugtraq () cgisecurity net>; <loon () loadedpenguin com>; <EslerJ () RCERT-S ARMY MIL>; <jcalhoun () lurhq com>; <A20FBW1 () wpo cso niu edu>; <the_ferg () hotmail com>; <JBeckett () enviance com>; <ksaj () penetrationtest com> Cc: <webappsec () securityfocus com>; <incidents () securityfocus com> Sent: Sunday, January 05, 2003 12:14 AM Subject: /sumthin Revisited
Okay, I will go on record saying the /sumthin mystery is concerning me ;-) The original post is here: Subject: HTTP attack looking for /sumthin ? Date: Oct 17 2002 4:55PM Author: <jmaywood1975 () hushmail com> http://online.securityfocus.com/archive/75/295738 Has anyone been able to track down what causes the /sumthin requests? I
would
be interested to see if anyone has access to one of the computers sending
out
the requests? Also I am trying to collect logs of as many /sumthing requests as I can
get my
hands on for further analysis. For those that can, please forward the
related
logs to noam () noameppel com! Here are some more requests from the last few days to www.noameppel.com: 216.230.142.50 - - [02/Jan/2003:01:29:52 -0600] "GET /sumthin HTTP/1.0"
404
640 "-" "-" 216.184.98.3 - - [02/Jan/2003:07:09:49 -0600] "GET /sumthin HTTP/1.0" 404 638 "-" "-" applwi01-vlan485-106.dsl.tds.net - - [03/Jan/2003:17:20:52 - 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-" 211.252.55.67 - - [03/Jan/2003:18:04:14 -0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-" applwi01-vlan485-106.dsl.tds.net - - [04/Jan/2003:08:07:27 - 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-" Cheers! Noam Eppel noam () noameppel com http://www.noameppel.com --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- /sumthin Revisited Noam Eppel (Jan 06)
- Re: /sumthin Revisited Chris Barford (Jan 07)
- Re: /sumthin Revisited Chris Norris (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- Re: /sumthin Revisited Michael Katz (Jan 07)
- Re: /sumthin Revisited noconflic (Jan 08)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- <Possible follow-ups>
- RE: /sumthin Revisited Wolf, Glenn (Jan 07)
- RE: /sumthin Revisited Rob Keown (Jan 07)