There are quiet a few posts on here asking about "/sumthin" requests showing up in their logs. A request would look similar to this:
123.456.789.10 - - [02/July/2003:01:50:50 -0600] "GET /sumthin HTTP/1.0" 404
I usually get one or two emails a week asking about what these request do and what causes it...
The purpose of the request is to request a file which does not exist on your web server to see a 404 error page. A 404 error page usually contains information about the software running on the server.
You can test this out on your own web site:
1. Telnet into your site over port 80
(telnet example.com 80)
2. Type GET /sumthin HTTP/1.0 and press Enter twice.
In the result you might see a line similar to:
Server: Apache/1.3.27 (Unix) DAV/1.0.3 mod_bwlimited/1.0 PHP/4.3.1 mod_log_bytes/1.2 FrontPage/5.0.2.2510 mod_ssl/2.8.14 OpenSSL/0.9.6b
There are two known causes of this. Both are trojans/worms which are installed on compromised servers and used to automatically scan other machines. They are named:
1. httpver.c
2. ATD OpenSSL Mass Exploiter
If you receive any /sumthin requests in your apache log, it is possibly the originating IP is infected with one of those.
[edited by: littleman at 4:24 pm (utc) on July 18, 2003]
[edit reason] no sigs please [/edit]
