|
|
|
Choosing A Webhost: |
RE: HTTP attack looking for /sumthin ?: msg#00167security.incidents
My first thought on this was a Bot or spider, but after running the source IP's through the ol' whois routine, I came up with one sourced out of a UK ISP and the other from a University. I'd agree with one of the previous statement's that it's some sort of scanner/recon tool looking for error codes and server vulns. -----Original Message----- From: cory [mailto:loon@xxxxxxxxxxxxxxxxx] Sent: Thursday, October 17, 2002 10:56 AM To: jmaywood1975@xxxxxxxxxxxx; incidents@xxxxxxxxxxxxxxxxx Subject: Re: HTTP attack looking for /sumthin ? I have seen this on our servers, starting Oct 12 with 213.165.144.xxx (only one ip) and then again on the 15th from 194.236.60.xxx (also one ip) . Each time they hit they sent 5 to 6 attempts within one second, all looking in the same place. 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" 213.165.144.xxx - - [12/Oct/2002:05:40:01 -0500] "GET /sumthin HTTP/1.0" 404 1086 "-" "-" (6 times in all.) All logs look identical to your post. What do we have here ? cheers, cory jmaywood1975@xxxxxxxxxxxx wrote: >Does anyone have any ideas what attack this might be? > >Below shows 4 seperate potential attacks by 3 different hosts, this is all the activity in my logs for those three hosts, nothing more anywhere related to those three ip address. > >It starts with a request for the directory /sumthin >maybe tries a header exploit by sending a VERSION method? >and connects ssl. > > > ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
|
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | RE: DoS and Windows Login, Paul Carroll |
|---|---|
| Next by Date: | Re: DoS and Windows Login, Brad Arlt |
| Previous by Thread: | Re: HTTP attack looking for /sumthin ?, Fred Williams |
| Next by Thread: | Slapper worm "ink" instead of "cinik" (Re: slapper worm varient "cinik"), GiulioMaria Fontana |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
Free MagazinesCisco NewsReceive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business. subscribe Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field. subscribe The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business. subscribe Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company. subscribe Total Telecom Total Telecom is "The Economist of the communications industry". subscribe |
