[sumthin]
GDHough
mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org
Sun Dec 14 11:15:04 UTC 2003
On Friday 12 December 2003 07:29, JoeHill wrote:
> On Fri, 12 Dec 2003 07:21:15 -0500
>
> GDHough <mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org> wrote:
> > Jan 19 will be my Apache's one year birthday. In that time I've learned
> > much about running a webserver on Linux. One thing I've seen many times
> > over are GET's for /sumthin/. I don't GET it? Why /sumthin/ and not just
> > /? Is this a way to grab banners, 404's?
> >
> > Does anyone ever put something in /sumthin/?
>
I wanted to see what would happen if I honored requests for some of the
winserver exploits. One example is I created the text file
/scripts/nsiislog.dll. The text in the file is actually a record of all GET
/scripts/nsiislog.dll requests. Once a week I grep | cat >> to this file.
I learned that most tools (worms) scanning for this file limit the bytes to
12960-13068. I deduce that those who accepted the entire file were scanning
manually with a user enabled keyboard.
So what harm can there be in setting an index.html inside /sumthin/? ;-)
I get far fewer requests for /sumthin/ than anything else I currently play
with. I would like to explore the ramifications of utilizing this
particularly regular request. I just wanted to see if there was sumthin to it
before I create the index and special links.
Thanks,
farmer6re9
> I was curious myself, so I did a little google.ca/linux and lo and behold:
>
> "This looks to be a banner grabbing attempt on your webservers. Alot of
> scanners/worms will do this in an attempt to find out what type of web
> server you are running and compare it against a list of vulnerable servers
> for some particular exploit. The `"/sumthin" is placed within the GET
> command to trigger a 404 error, which in turn reveals valuable information
> about your server back the requestor. If the information returned by your
> server is useful to the scanner/worm you may see other exploits in the near
> future targeted towards your box."
--
Eating Crow is better with MyCrowSauce
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list