Welcome to WebmasterWorld Guest from 107.20.34.173

Forum Moderators: Ocean10000 & incrediBILL

Message Too Old, No Replies

/sumthin Solved.

/sumthin requests in logs

     

noameppel

8:04 am on Jul 18, 2003 (gmt 0)

10+ Year Member



There are quiet a few posts on here asking about "/sumthin" requests showing up in their logs.

A request would look similar to this:

123.456.789.10 - - [02/July/2003:01:50:50 -0600] "GET /sumthin HTTP/1.0" 404

I usually get one or two emails a week asking about what these request do and what causes it...

The purpose of the request is to request a file which does not exist on your web server to see a 404 error page. A 404 error page usually contains information about the software running on the server.

You can test this out on your own web site:
1. Telnet into your site over port 80
(telnet example.com 80)
2. Type GET /sumthin HTTP/1.0 and press Enter twice.

In the result you might see a line similar to:

Server: Apache/1.3.27 (Unix) DAV/1.0.3 mod_bwlimited/1.0 PHP/4.3.1 mod_log_bytes/1.2 FrontPage/5.0.2.2510 mod_ssl/2.8.14 OpenSSL/0.9.6b

There are two known causes of this. Both are trojans/worms which are installed on compromised servers and used to automatically scan other machines. They are named:

1. httpver.c
2. ATD OpenSSL Mass Exploiter

If you receive any /sumthin requests in your apache log, it is possibly the originating IP is infected with one of those.

[edited by: littleman at 4:24 pm (utc) on July 18, 2003]
[edit reason] no sigs please [/edit]

 

Featured Threads

Hot Threads This Week

Hot Threads This Month