|
Security Incidents
mailing list archives
Re: HTTP attack looking for /sumthin ?
From: "Scott C. Kennedy" <sck () infosyscorp com>
Date: Thu, 17 Oct 2002 15:27:02 -0700
Odd, I have seen this only two times since Aug 31st on any of our servers,
both on Oct 13th.
At 10:06:27 AM for 11 secs, a GTE net DSL host 66.13.116.* probed 36 different
sites for this file.
And again at 15:34:42 for 9 secs, a host registered as 'www.*.com' in 209.98.111.*
also probed the same 36 sites.
I checked all sensors to see if these hosts had sent any other packets into
our network or were sent anything, and just got those HTTP connections
for "/sumthin"
Scott
cory wrote:
I have seen this on our servers, starting Oct 12 with 213.165.144.xxx
(only one ip) and then again on the 15th from 194.236.60.xxx (also one
ip) .
jmaywood1975 () hushmail com wrote:
Does anyone have any ideas what attack this might be?
Below shows 4 seperate potential attacks by 3 different hosts, this is all the activity in my logs for those three
hosts, nothing more anywhere related to those three ip address.
It starts with a request for the directory /sumthin
maybe tries a header exploit by sending a VERSION method?
and connects ssl.
Scott C. Kennedy
Lead Security Architect/ Director of Security
Infosys Corporation
Work: (877) 772-2347
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE27C1102
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
