Security Incidents: RE: HTTP attack looking for /sumthin ?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: HTTP attack looking for /sumthin ?

From: "Esler, Joel" <EslerJ () RCERT-S ARMY MIL>
Date: Thu, 17 Oct 2002 15:30:46 -0400

Looks like a automated scan, looking for active web servers.  Are the IP's
sequential?  How about on Source?  are they sequentialized ports?

-----Original Message-----
From: cory [mailto:loon () loadedpenguin com]
Sent: Thursday, October 17, 2002 1:56 PM
To: jmaywood1975 () hushmail com; incidents () securityfocus com
Subject: Re: HTTP attack looking for /sumthin ?

I have seen this on our servers, starting Oct 12 with 213.165.144.xxx 
(only one ip) and then again on the 15th from 194.236.60.xxx (also one 
ip) .

Each time they hit they sent 5 to 6 attempts within one second, all 
looking in the same place.

213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 
404 1086 "-" "-"
(6 times in all.)

All logs look identical to your post.
What do we have here ?

cheers,
cory

jmaywood1975 () hushmail com wrote:

Does anyone have any ideas what attack this might be?

Below shows 4 seperate potential attacks by 3 different hosts, this is all

the activity in my logs for those three hosts, nothing more anywhere related
to those three ip address.


It starts with a request for the directory /sumthin
maybe tries a header exploit by sending a VERSION method?
and connects ssl.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

HTTP attack looking for /sumthin ? jmaywood1975 (Oct 17)
- Re: HTTP attack looking for /sumthin ? cory (Oct 17)
  - Re: HTTP attack looking for /sumthin ? Scott C. Kennedy (Oct 17)
- Re: HTTP attack looking for /sumthin ? H C (Oct 17)
- <Possible follow-ups>
- Re: HTTP attack looking for /sumthin ? zeno (Oct 17)
- RE: HTTP attack looking for /sumthin ? Esler, Joel (Oct 17)
- Re: HTTP attack looking for /sumthin ? Johnny Calhoun (Oct 17)
  - Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
    - Re: HTTP attack looking for /sumthin ? Hugo van der Kooij (Oct 18)
- Re: HTTP attack looking for /sumthin ? Fred Williams (Oct 17)
- RE: HTTP attack looking for /sumthin ? Beckett, Josh (Oct 17)