GET /sumthin DOS has crashed 3 boxes 2 times in last week

[rpmws]

Hi guys ..I need some help.

This isn't a cpanel issue but I can't find much on it. I get several sessions of this below from a hand full of IP's every day. Today I got hammered by 5 IP's at the same time. Crashed the box. My question ... has anyone else ceen this? every box I look into has this is the access_log. I have a list of about 30 IP's that have done this to us. I tried putting them in /etc/hosts.deny and rebooted. I also tried putting another box main IP in there just to test if I could connect from that machine. It didn't seem to work (I could still connect from that IP using SSH) . Is this method of blocking Ips' work? what do you suggest?


61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:17 -0500] "GET /sumthin HTTP/1.0" 404 -

 

[ozzi4648]

Originally posted by rpmws
Hi guys ..I need some help.

This isn't a cpanel issue but I can't find much on it. I get several sessions of this below from a hand full of IP's every day. Today I got hammered by 5 IP's at the same time. Crashed the box. My question ... has anyone else ceen this? every box I look into has this is the access_log. I have a list of about 30 IP's that have done this to us. I tried putting them in /etc/hosts.deny and rebooted. I also tried putting another box main IP in there just to test if I could connect from that machine. It didn't seem to work (I could still connect from that IP using SSH) . Is this method of blocking Ips' work? what do you suggest?


61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:17 -0500] "GET /sumthin HTTP/1.0" 404 -

Placing this ip in deny.hosts will not stop them. Don't you have a firewall? I hope for your sake you do because you can simply plop the ip 61.115.7.0 into your firewall and the rest is all she wrote.

 

[rpmws]

yes we do and I have about 200 IPs in there already .. problem i keep getting this from new IP's.

Just saw this.
http://online.securityfocus.com/archive/75/309924

scaring the %$#@ out of me.

 

[ozzi4648]

Originally posted by rpmws
yes we do and I have about 200 IPs in there already .. problem i keep getting this from new IP's.

Just saw this.
http://online.securityfocus.com/archive/75/309924

scaring the %$#@ out of me.

If it makes you happy i get sumthin logs daily but not that many. So let me read that link.

 

[rpmws]

I know you do ..everyone does. But the returned apache info may be stored and used later for exploits. My servers have completely become non responsive right after these hits. Not every time but 3 times now on more than one box and the last time 2 boxes together ..same IP's waer hitting both machines.

SF articles maybe slapper from infected boxes but that's no worm in that thread above.

 

[ozzi4648]

http://www.dshield.org/pipermail/list/2002-December/001940.html

GET /sumthin
GET /sumthin HTTP/1.0" 404 1962 yoursitename.com "-" "-" "-"

This line started popping up in many access logs over the summer, and increased activity was reported in October. I'm assuming that this is generated by an automated scanner of some sort, but I haven't actually been able to confirm whether this is being done by a program or manually by specific individuals.

Regardless, this is an information gathering technique. The "/sumthin" is used to intentionally trigger a 404 error. If you haven't modified your 404 page (you can find instructions to do so here), or if a hacker telnets to your HTTP port and sends this GET request, this will reveal information about your Web Server type, Version and OS. If you are running an Apache server, add these lines to your httpd.conf file to prevent the server from disclosing this information:



ServerTokens ProductOnly
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off

Something else i found.

 

[taivu]

I started seeing these "sumthin" requests in November. I simply did:

touch /usr/local/apache/htdocs/sumthin

which created a 0 byte file in the webroot of the server. Now instead of 404 they get 200:

200.195.96.61 - - [13/Feb/2003:23:22:21 +0100] "GET /sumthin HTTP/1.0" 200 0

Seems like that makes them move on, since I don't get any more hits from that same IP after the inicial 4 probes (checked logs since November). Naturally I have also set ServerTokens to "ProductOnly" and ServerSignature to "Off".

 

[silvernetuk]

Hi

So is this the way to go ?

Originally posted by taivu
touch /usr/local/apache/htdocs/sumthin

Also what is this ServerSignature do ?

Naturally I have also set ServerTokens to "ProductOnly" and ServerSignature to "Off".

Regards,
Garry

 

[taivu]

Originally posted by silvernetuk
So is this the way to go ?

Creating an empty file cannot hurt anyone, can it

Also what is this ServerSignature do ?

http://httpd.apache.org/docs/mod/core.html#serversignature

 

[rpmws]

Has anyone else seen these bastards crash a rack of servers, or at least a hand full at the same time? Or have your crashes happened and no one has figured out why? I had this happen 3 times now and I ignored the first 2 becuase I was just happy to get the box back up. This last time it crashed 3 machines on the same noc .. different hardware and all.

BTW I have servertokens off always have. I know for a fact that this same guy (server) has had to crash atleast a couple of other boxes out there.

My symptoms are basically non responsive server that only returns pings. Chkservd doesn't fix it.

 

[cPanelNick]

Try

touch /usr/local/apache/htdocs/blankfile
Alias /sumthin /usr/local/apache/htdocs/blankfile

 

[Website Rob]

Great thread everyone!

I made a post a few months ago at WHT about this very thing, unfortunately no one replied. I too, had seen an increase on this 'sumthin' search and thought perhaps it was a precurser to DDoS or some other type Virus.

In checking my httpd.conf file I noticed:

ServerTokens ProductOnly << no mention of this so added it in
ServerSignature On << default setting so changed to Off

My question though, is using 'touch /usr/local/apache/htdocs/sumthin' going to work for "all" accounts -- which are always checked -- or would using Nick's suggestion be better to cover every account on the Server?

 

[silvernetuk]

Hi,

Originally posted by bdraco
Try

touch /usr/local/apache/htdocs/blankfile
Alias /sumthin /usr/local/apache/htdocs/blankfile

so would I type both these at the ssh command line ?

Regards,
Garry

 

[Website Rob]

No, just the 'touch' command.

Then you need to edit your httpd.conf file and scroll (way down) till you see:

NameVirtualHost xx.xx.xx.xx:80 << your main Server IP
Alias /bandwidth/ /usr/local/bandmin/htdocs/
Alias /sumthin /usr/local/apache/htdocs/blankfile << add it here

Decided to answer my own question and figure that edit should grab "all" of the 'sumthin' requests. Feel free to correct if not so.

 

[dgbaker]

Nick's solution is server wide.

touch the file in an ssh session and add the alias to httpd.conf restart apache, now it is working for all sites.

 

[xsenses]

I just tried Nick's way and for some reason apache won't start when I add the Alias. I made sure the blank file was created any ideas?

 

[Website Rob]

Did you edit your httpd.conf file the way I suggested or ...?

 

[xsenses]

I added this: Alias /sumthin /usr/local/apache/htdocs/blankfile
at the top right under Alias /bandwidth/ /usr/local/bandmin/htdocs/

 

[dgbaker]

From ssh do

cd /usr/local/apache/bin
./apachectl configtest

That should tell what is wrong.

 

[xsenses]

I changed 2 things and it now works:
1. I moved it down under the main virtual host entry
2. I think I was entring sumthin/usr rather than sumthin /usr (space)