Security Incidents mailing list archives
Re: /sumthin Revisited
From: "Sverre H. Huseby" <shh () thathost com>
Date: Tue, 7 Jan 2003 23:12:23 +0100
I'm adding some info to my previous reply: I queried the Server header of the 30 different IPs (only two have visited me twice) that have sumthin'ed me since 2002-10-12. 21 of them replied as follows, the rest didn't respond: Squid/2.4.STABLE7 Squid/2.4.STABLE7 Apache/1.3.27 (Unix) PHP/4.3.0 Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 OpenSSL/0.9.6 PHP/4.0.4pl1 Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.6 Apache-AdvancedExtranetServer/1.3.22 (Mandrake Linux/10.2mdk) mod_ssl/2.8.5 OpenSSL/0.9.6b PHP/4.0.6 Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk) tomcat/1.0 mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2 mod_jk/1.1.0 Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a DAV/1.0.1 PHP/4.0.1pl2 mod_perl/1.24 Apache/1.3.12 (Unix) (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a PHP/4.0.1pl2 mod_perl/1.24 Apache/1.3.14 (Unix) (Red-Hat/Linux) mod_ssl/2.7.1 OpenSSL/0.9.5a PHP/4.0.4pl1 mod_perl/1.24 Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.24_01 Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2 Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2 Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 Except for the three mentioned first, all the rest announce themselves as Apache web servers that have known vulnerabilities, and OpenSSL versions with same (they are not vulnerable if the vulnerabilities have been patched). I know nothing about the other modules they have in common. Several of the web servers just show the Apache Test Page when I visit them in my browser. Of course, this little sample need not mean anything. But I find it somewhat strange that all requests come from typical Unix/Linux machines, of which most may have known vulnerabilities. I'm still very curious as to what this li'l sumthin might be. Why did it start in october 2002 for my part (I have logs from february)? Why did it only visit my https-enabled domain? Is it just another favicon.ico, which stirred some people up some time ago when Microsoft "invented" it? Is it a GET-request sample from some book? Is it an unknown, slow-moving worm? A scanner? A manual exploit? A misspelling that suddenly got popular? Hopefully, time will show. Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- /sumthin Revisited Noam Eppel (Jan 06)
- Re: /sumthin Revisited Chris Barford (Jan 07)
- Re: /sumthin Revisited Chris Norris (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- Re: /sumthin Revisited Michael Katz (Jan 07)
- Re: /sumthin Revisited noconflic (Jan 08)
- RE: /sumthin Revisited Jonathan A. Zdziarski (Jan 07)
- Re: /sumthin Revisited Sverre H. Huseby (Jan 07)
- <Possible follow-ups>
- RE: /sumthin Revisited Wolf, Glenn (Jan 07)
- RE: /sumthin Revisited Rob Keown (Jan 07)