GDHough mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org
Sun Dec 14 11:15:04 UTC 2003

On Friday 12 December 2003 07:29, JoeHill wrote:
> On Fri, 12 Dec 2003 07:21:15 -0500
> GDHough <mr6re9-mI4xJ4qlgtBiLUuM0BA3LQ at public.gmane.org> wrote:
> > Jan 19 will be my Apache's one year birthday. In that time I've learned
> > much about running a webserver on Linux. One thing I've seen many times
> > over are GET's for /sumthin/. I don't GET it? Why /sumthin/ and not just
> > /? Is this a way to grab banners, 404's?
> >
> > Does anyone ever put something in /sumthin/?
I wanted to see what would happen if I honored requests for some of the 
winserver exploits. One example is I created the text file 
/scripts/nsiislog.dll. The text in the file is actually a record of all GET 
/scripts/nsiislog.dll requests. Once a week I grep | cat >> to this file.

I learned that most tools (worms) scanning for this file limit the bytes to 
12960-13068. I deduce that those who accepted the entire file were scanning 
manually with a user enabled keyboard.

So what harm can there be in setting an index.html inside /sumthin/? ;-)

I get far fewer requests for /sumthin/ than anything else I currently play 
with. I would like to explore the ramifications of utilizing this 
particularly regular request. I just wanted to see if there was sumthin to it 
before I create the index and special links. 

> I was curious myself, so I did a little google.ca/linux and lo and behold:
> "This looks to be a banner grabbing attempt on your webservers.  Alot of
> scanners/worms will do this in an attempt to find out what type of web
> server you are running and compare it against a list of vulnerable servers
> for some particular exploit.  The `"/sumthin" is placed within the GET
> command to trigger a 404 error, which in turn reveals valuable information
> about your server back the requestor.  If the information returned by your
> server is useful to the scanner/worm you may see other exploits in the near
> future targeted towards your box."

Eating Crow is better with MyCrowSauce

The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list