Hosting Provided By

RE: /sumthin Revisited

From: Wolf, Glenn <glenn.wolf(at)we-inc.com>
Date: Mon Jan 06 2003 - 15:02:35 EST

groups.google.com is your friend:
http://lists.insecure.org/lists/incidents/2002/Oct/0161.html

Glenn

-----Original Message-----
From: Noam Eppel [mailto:noam@noameppel.com] Sent: Saturday, January 04, 2003 4:15 PM To: jmaywood1975@hushmail.com; keydet89@yahoo.com; bugtraq@cgisecurity.net; loon@loadedpenguin.com; EslerJ@RCERT-S.ARMY.MIL; jcalhoun@lurhq.com; A20FBW1@wpo.cso.niu.edu; the_ferg@hotmail.com; JBeckett@enviance.com; ksaj@penetrationtest.com
Cc: webappsec@securityfocus.com; incidents@securityfocus.com Subject: /sumthin Revisited

Okay, I will go on record saying the /sumthin mystery is concerning me ;-)

The original post is here:
Subject: HTTP attack looking for /sumthin ? Date: Oct 17 2002 4:55PM
Author: <jmaywood1975@hushmail.com>
http://online.securityfocus.com/archive/75/295738

Has anyone been able to track down what causes the /sumthin requests? I would
be interested to see if anyone has access to one of the computers sending out
the requests?

Also I am trying to collect logs of as many /sumthing requests as I can get my
hands on for further analysis. For those that can, please forward the related
logs to noam@noameppel.com!

Here are some more requests from the last few days to www.noameppel.com:

Do you need help?

216.230.142.50 - - [02/Jan/2003:01:29:52 -0600] "GET /sumthin HTTP/1.0" 404 640 "-" "-"
216.184.98.3 - - [02/Jan/2003:07:09:49 -0600] "GET /sumthin HTTP/1.0" 404 638 "-" "-"
applwi01-vlan485-106.dsl.tds.net - - [03/Jan/2003:17:20:52 - 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-" 211.252.55.67 - - [03/Jan/2003:18:04:14 -0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"
applwi01-vlan485-106.dsl.tds.net - - [04/Jan/2003:08:07:27 - 0600] "GET /sumthin HTTP/1.0" 404 639 "-" "-"

Cheers!

Noam Eppel
noam@noameppel.com
http://www.noameppel.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Jan 7 15:25:38 2003

This message: [ Message body ]
Next message: Chris Norris: "Re: /sumthin Revisited"
Previous message: Adam Bultman: "Re: Root password changed"
Maybe in reply to: Noam Eppel: "/sumthin Revisited"
Reply: Chris Norris: "Re: /sumthin Revisited"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT