Noam Eppel

[noam]

Many people are finding requests for a file called /sumthin in their apache access log.

A request would look similar to this:

123.456.789.10 - - [02/July/2003:01:50:50 -0600] "GET /sumthin HTTP/1.0" 404

I usually get one or two emails a week asking about what these request do and what causes it...

The purpose of the request is to request a file which does not exist on your web server to see a 404 error page. A 404 error page usually contains information about the software running on the server.

You can test this out on your own web site:
1. Telnet into your site over port 80
(telnet example.com 80)
2. Type GET /sumthin HTTP/1.0 and press Enter twice.

In the result you might see a line similar to:

Server: Apache/1.3.27 (Unix) DAV/1.0.3 mod_bwlimited/1.0 PHP/4.3.1 mod_log_bytes/1.2 FrontPage/5.0.2.2510 mod_ssl/2.8.14 OpenSSL/0.9.6b

There are two known causes of this. Both are trojans/worms which are installed on compromised servers and used to automatically scan other machines. They are named:

1. httpver.c
2. ATD OpenSSL Mass Exploiter

If you receive any /sumthin requests in your apache log, it is possibly the originating IP is infected with one of those.