Return-Path: 
 <users-return-24870-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 98093 invoked by uid 500); 29 Mar 2003 01:45:49 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 98073 invoked from network); 29 Mar 2003 01:45:48 -0000
Received: from mordrede.visionsix.com (65.202.119.3)
  by daedalus.apache.org with SMTP; 29 Mar 2003 01:45:48 -0000
Received: from vsis169 (unverified [65.202.119.169]) by mordrede.visionsix.com
 (Vircom SMTPRS 2.0.239) with SMTP id <B0001100566@mordrede.visionsix.com> for
 <users@httpd.apache.org>;
 Fri, 28 Mar 2003 19:45:48 -0600
Message-ID: <000701c2f594$ed91b770$a977ca41@vsis169>
From: "Lewis Watson" <lists@visionsix.com>
To: <users@httpd.apache.org>
References: <5.1.1.5.2.20030328160952.00b74530@mail.law.uiowa.edu>
 <Pine.WNT.4.52.0303282011410.516@RM505.mgmt.mcgill.ca>
Date: Fri, 28 Mar 2003 19:45:50 -0600
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
Subject: Re: [users@httpd] "sumthin" attack?


> On Fri, 28 Mar 2003, Bob Ramsey wrote:
>
> > I noticed log entries looking for "/sumthin" and more that are GETting
> > other websites.  When I googled for info, there wasn't much, just that
it
> > may be an attack of some kind.  Does anyone have any more information
or
> > ways to check and see if I've been owned?
> >
> > Here are some of the log entries:
> >
> > 66.20.8.223 - - [26/Mar/2003:20:12:32 -0600] "GET /sumthin HTTP/1.0"
404
> > 302 "-" "-"
> > 151.200.168.66 - - [27/Mar/2003:02:45:20 -0600] "GET
http://www.s3.com/
> > HTTP/1.1" 200 14498 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows
95)"
> > 62.101.125.229 - - [27/Mar/2003:14:04:27 -0600] "GET /sumthin
HTTP/1.0" 404
> > 302 "-" "-"
> > 61.170.234.48 - - [28/Mar/2003:07:30:33 -0600] "GET
http://www.intel.com/
> > HTTP/1.1" 200 14498 "-" "Mozilla/5.0 (compatible; MSIE 5.01; Win2000)"
> > 61.197.201.21 - - [28/Mar/2003:15:49:18 -0600] "GET /sumthin HTTP/1.0"
404
> > 302 "-" "-"


Looks like I have sumthin/ in my logs too. Thats pretty freaky. I have
noticed it for a couple of months now. It returns a 404 error...
Lewis



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org