Security Incidents: RE: HTTP attack looking for /sumthin ?

Security Incidents mailing list archives

RE: HTTP attack looking for /sumthin ?

From: "Beckett, Josh" <JBeckett () enviance com>
Date: Thu, 17 Oct 2002 12:39:27 -0700

My first thought on this was a Bot or spider, but after running the
source IP's through the ol' whois routine, I came up with one sourced
out of a UK ISP and the other from a University.

I'd agree with one of the previous statement's that it's some sort of
scanner/recon tool looking for error codes and server vulns.

-----Original Message-----
From: cory [mailto:loon () loadedpenguin com] 
Sent: Thursday, October 17, 2002 10:56 AM
To: jmaywood1975 () hushmail com; incidents () securityfocus com
Subject: Re: HTTP attack looking for /sumthin ?


I have seen this on our servers, starting Oct 12 with 213.165.144.xxx 
(only one ip) and then again on the 15th from 194.236.60.xxx (also one 
ip) .

Each time they hit they sent 5 to 6 attempts within one second, all 
looking in the same place.

213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0"

404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0"

404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0"

404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0"

404 1086 "-" "-"
213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0"

404 1086 "-" "-"
(6 times in all.)

All logs look identical to your post.
What do we have here ?

cheers,
cory




jmaywood1975 () hushmail com wrote:

Does anyone have any ideas what attack this might be?

Below shows 4 seperate potential attacks by 3 different hosts, this is

all the activity in my logs for those three hosts, nothing more anywhere
related to those three ip address.


It starts with a request for the directory /sumthin
maybe tries a header exploit by sending a VERSION method?
and connects ssl.




------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

RE: HTTP attack looking for /sumthin ?, (continued)
- RE: HTTP attack looking for /sumthin ? Esler, Joel (Oct 17)
- Re: HTTP attack looking for /sumthin ? Johnny Calhoun (Oct 17)
  - Re: HTTP attack looking for /sumthin ? Patrick Oonk (Oct 18)
    - Re: HTTP attack looking for /sumthin ? Hugo van der Kooij (Oct 18)
- Re: HTTP attack looking for /sumthin ? Fred Williams (Oct 17)
- RE: HTTP attack looking for /sumthin ? Beckett, Josh (Oct 17)