Re: /sumthin Revisited

From: Sverre H. Huseby <shh(at)thathost.com>
Date: Tue Jan 07 2003 - 17:12:23 EST

I'm adding some info to my previous reply:

I queried the Server header of the 30 different IPs (only two have visited me twice) that have sumthin'ed me since 2002-10-12. 21 of them replied as follows, the rest didn't respond:

Squid/2.4.STABLE7
Squid/2.4.STABLE7
Apache/1.3.27 (Unix) PHP/4.3.0

Apache-AdvancedExtranetServer/1.3.19 (Linux-Mandrake/3mdk) mod_ssl/2.8.2 OpenSSL/0.9.6 PHP/4.0.4pl1
Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.0.6
Apache-AdvancedExtranetServer/1.3.22 (Mandrake Linux/10.2mdk) mod_ssl/2.8.5 OpenSSL/0.9.6b PHP/4.0.6
Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk) tomcat/1.0 mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2 mod_jk/1.1.0
Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a DAV/1.0.1 PHP/4.0.1pl2 mod_perl/1.24
Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a PHP/4.0.1pl2 mod_perl/1.24
Apache/1.3.14 (Unix)  (Red-Hat/Linux) mod_ssl/2.7.1 OpenSSL/0.9.5a PHP/4.0.4pl1 mod_perl/1.24
Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
Apache/1.3.19 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01
Apache/1.3.20 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01
Apache/1.3.22 (Unix)  (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.1.2 mod_perl/1.24_01
Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2
Apache/1.3.23 (Unix)  (Red-Hat/Linux) mod_python/2.7.6 Python/1.5.2 mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 mod_throttle/3.1.2

Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26 Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2 mod_perl/1.26

Except for the three mentioned first, all the rest announce themselves as Apache web servers that have known vulnerabilities, and OpenSSL versions with same (they are not vulnerable if the vulnerabilities have been patched). I know nothing about the other modules they have in common.

Several of the web servers just show the Apache Test Page when I visit them in my browser.

Of course, this little sample need not mean anything. But I find it somewhat strange that all requests come from typical Unix/Linux machines, of which most may have known vulnerabilities.

I'm still very curious as to what this li'l sumthin might be. Why did it start in october 2002 for my part (I have logs from february)? Why did it only visit my https-enabled domain? Is it just another favicon.ico, which stirred some people up some time ago when Microsoft "invented" it? Is it a GET-request sample from some book? Is it an unknown, slow-moving worm? A scanner? A manual exploit? A misspelling that suddenly got popular? Hopefully, time will show.

Sverre.

-- 
shh@thathost.com		Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/	
http://nerdquiz.thathost.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Tue Jan 7 17:27:50 2003