Hosting Provided By

Re: /sumthin Revisited

From: Sverre H. Huseby <shh(at)thathost.com>
Date: Tue Jan 07 2003 - 16:31:43 EST

| Maybe it's a port 80 scanner that captures banner info. Issuing

Yes, but you could just as well have obtained the info using "HEAD /", which wouldn't show up in the error_log.

The "GET /sumthin" is the fingerprint of something. A worm, a scanner or something (sumthin) completely harmless. I think Noam's goal is to find out what this fingerprint matches. And I'm quite curious myself, as I see it coming from many different IP addresses, and only for my SSL/TLS-enabled domain.

Sverre.

-- 
shh@thathost.com		Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/	
http://nerdquiz.thathost.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Tue Jan 7 17:09:08 2003

This message: [ Message body ]
Next message: Johnson, April: "Possible google hack"
Previous message: Joe Kattner: "Re: Root password changed"
In reply to Chris Norris: "Re: /sumthin Revisited"
Next in thread: Jonathan A. Zdziarski: "RE: /sumthin Revisited"
Reply: Jonathan A. Zdziarski: "RE: /sumthin Revisited"
Reply: Jonathan A. Zdziarski: "RE: /sumthin Revisited"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT