Re: HTTP attack looking for /sumthin ?

From: Fred Williams (A20FBW1@wpo.cso.niu.edu)
Date: 10/17/02


Date: Thu, 17 Oct 2002 16:20:43 -0500
From: "Fred Williams" <A20FBW1@wpo.cso.niu.edu>
To: <incidents@securityfocus.com>

I agree, this is probably a method used to assess server responses to
help identify both the type of server and how it is configured. I think
NGS had written about this in regards to IIS..yeh here it is
http://www.nextgenss.com/papers/iisrconfig.pdf

>>> zeno <bugtraq@cgisecurity.net> 10/17/02 12:55PM >>>
It is probably checking for server response, and error messages.
Probably some banner scanner of sorts....

- zeno
 

>
>
> Does anyone have any ideas what attack this might be?
>
> Below shows 4 seperate potential attacks by 3 different hosts, this
is all the activity in my logs for those three hosts, nothing more
anywhere related to those three ip address.
>
> It starts with a request for the directory /sumthin
> maybe tries a header exploit by sending a VERSION method?
> and connects ssl.
>
> My googling and mailing list searches dont turn anything up about
what this might be.
>
> Anyone else see these hits for the /sumthin directory or know what
they might be?
>
> Sorry for the long lines of log and wrap.
>
> Cheers,
>
> -----------------------------------------------
> [philbo:/var/log/httpd] root# grep 205.221.242.1 *
> access_combined_log:205.221.242.1 - - [16/Oct/2002:16:14:23 -0400]
"GET /sumthin HTTP/1.0" 404 201 "-" "-"
>
> access_log:205.221.242.1 - - [16/Oct/2002:16:14:23 -0400] "GET
/sumthin HTTP/1.0" 404 201
>
> error_log:[Wed Oct 16 16:14:23 2002] [error] [client 205.221.242.1]
File does not exist: /home/webserver/Documents/sumthin
>
> ssl_engine_log:[16/Oct/2002 16:14:23 26577] [info] Connection to
child 4 established (server philbo.stonecruz.com:443, client
205.221.242.1)
>
> -------------------------------------------------
> [philbo:/var/log/httpd] root# grep 62.233.149.2 *
> access_combined_log:62.233.149.2 - - [10/Oct/2002:14:30:55 -0400]
"GET /sumthin HTTP/1.0" 404 201 "-" "-"
>
> access_log:62.233.149.2 - - [10/Oct/2002:14:30:55 -0400] "GET
/sumthin HTTP/1.0" 404 201
>
> error_log:[Thu Oct 10 14:30:55 2002] [error] [client 62.233.149.2]
File does not exist: /home/webserver/Documents/sumthin
>
> ssl_engine_log:[10/Oct/2002 14:30:54 26572] [info] Connection to
child 0 established (server philbo.stonecruz.com:443, client
62.233.149.2)
>
> ---------------------------------------------------
> [philbo:/var/log/httpd] root# grep 205.150.215.204 *
> access_combined_log:205.150.215.204 - - [10/Oct/2002:05:21:17 -0400]
"GET /sumthin HTTP/1.0" 404 201 "-" "-"
>
> access_log:205.150.215.204 - - [01/Oct/2002:12:00:39 -0400] "VERSION"
501 -
>
> access_log:205.150.215.204 - - [10/Oct/2002:05:21:17 -0400] "GET
/sumthin HTTP/1.0" 404 201
>
> error_log:[Tue Oct 1 12:00:39 2002] [error] [client 205.150.215.204]
Invalid method in request VERSION
>
> error_log:[Thu Oct 10 05:21:17 2002] [error] [client 205.150.215.204]
File does not exist: /home/webserver/Documents/sumthin
>
> ssl_engine_log:[01/Oct/2002 12:00:38 15149] [info] Connection to
child 3 established (server philbo.stonecruz.com:443, client
205.150.215.204)
>
> ssl_engine_log:[10/Oct/2002 05:21:17 26575] [info] Connection to
child 2 established (server philbo.stonecruz.com:443, client
205.150.215.204)
>
>
>
>
>
> Get your free encrypted email at https://www.hushmail.com
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • Re: More Get-IPlayer Questions
    ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
    (uk.comp.os.linux)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
    (comp.object)