httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: [users@httpd] "sumthin" attack?
Date Sat, 29 Mar 2003 01:13:00 GMT

On Fri, 28 Mar 2003, Bob Ramsey wrote:

> I noticed log entries looking for "/sumthin" and more that are GETting
> other websites.  When I googled for info, there wasn't much, just that it
> may be an attack of some kind.  Does anyone have any more information or
> ways to check and see if I've been owned?
>
> Here are some of the log entries:
>
> 66.20.8.223 - - [26/Mar/2003:20:12:32 -0600] "GET /sumthin HTTP/1.0" 404
> 302 "-" "-"
> 151.200.168.66 - - [27/Mar/2003:02:45:20 -0600] "GET http://www.s3.com/
> HTTP/1.1" 200 14498 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)"
> 62.101.125.229 - - [27/Mar/2003:14:04:27 -0600] "GET /sumthin HTTP/1.0" 404
> 302 "-" "-"
> 61.170.234.48 - - [28/Mar/2003:07:30:33 -0600] "GET http://www.intel.com/
> HTTP/1.1" 200 14498 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
> 61.197.201.21 - - [28/Mar/2003:15:49:18 -0600] "GET /sumthin HTTP/1.0" 404
> 302 "-" "-"

It could be someone trying to exploit your server, but it appears they
aren't suceeding (based on the file size being identical, I guess your
page is being returned).
See:
http://httpd.apache.org/docs/misc/FAQ.html#proxyscan

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message