Hosting Provided By

ATD OpenSSL Mass Exploiter Analysis (another "/sumthin" scan tool)

From: Joe Stewart <jstewart(at)lurhq.com>
Date: Mon Apr 07 2003 - 17:54:54 EDT

There have been several posts over the past few months inquiring about http requests with the fingerprint "GET /sumthin HTTP/1.0". One poster found source code and posted it here:
http://www.securityfocus.com/archive/75/313283/2003-02-23/2003-03-01/2

I have however come across a completely different tool that uses the same GET request. It may be a second version of the tool, but the package has some interesting properties, perhaps even a surprise for the script kiddies who are using it. It comes packaged as a set of binaries, so I have disassembled it and have posted an analysis here:

http://www.lurhq.com/atd.htm

-Joe

--

Joe Stewart, GCIH
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/

<b>

Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection.
http://www.securityfocus.com/SurfControl-incidents2 Download your free fully functional
trial, complete with 30-days of free technical support. Stop SPAM before it stops you.

</b> Received on Mon Apr 7 18:53:59 2003

This message: [ Message body ]
Next message: Gene: "Re: Does anyone recognize the scanner that causes this pattern ?"
Previous message: Christine Kronberg: "Re: SMTP probes"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:02 EDT