GET /sumthin DOS has crashed 3 boxes 2 times in last week

rpmws

Well-Known Member
Aug 14, 2001
1,822
9
318
back woods of NC, USA
Hi guys ..I need some help.

This isn't a cpanel issue but I can't find much on it. I get several sessions of this below from a hand full of IP's every day. Today I got hammered by 5 IP's at the same time. Crashed the box. My question ... has anyone else ceen this? every box I look into has this is the access_log. I have a list of about 30 IP's that have done this to us. I tried putting them in /etc/hosts.deny and rebooted. I also tried putting another box main IP in there just to test if I could connect from that machine. It didn't seem to work (I could still connect from that IP using SSH) . Is this method of blocking Ips' work? what do you suggest?


61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:17 -0500] "GET /sumthin HTTP/1.0" 404 -
 
Last edited:
O

ozzi4648

Guest
Originally posted by rpmws
Hi guys ..I need some help.

This isn't a cpanel issue but I can't find much on it. I get several sessions of this below from a hand full of IP's every day. Today I got hammered by 5 IP's at the same time. Crashed the box. My question ... has anyone else ceen this? every box I look into has this is the access_log. I have a list of about 30 IP's that have done this to us. I tried putting them in /etc/hosts.deny and rebooted. I also tried putting another box main IP in there just to test if I could connect from that machine. It didn't seem to work (I could still connect from that IP using SSH) . Is this method of blocking Ips' work? what do you suggest?


61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
61.115.7.131 - - [10/Feb/2003:17:32:17 -0500] "GET /sumthin HTTP/1.0" 404 -
Placing this ip in deny.hosts will not stop them. Don't you have a firewall? I hope for your sake you do because you can simply plop the ip 61.115.7.0 into your firewall and the rest is all she wrote.
 
Last edited by a moderator:

rpmws

Well-Known Member
Aug 14, 2001
1,822
9
318
back woods of NC, USA
I know you do ..everyone does. But the returned apache info may be stored and used later for exploits. My servers have completely become non responsive right after these hits. Not every time but 3 times now on more than one box and the last time 2 boxes together ..same IP's waer hitting both machines.

SF articles maybe slapper from infected boxes but that's no worm in that thread above.
 
O

ozzi4648

Guest
http://www.dshield.org/pipermail/list/2002-December/001940.html

GET /sumthin
GET /sumthin HTTP/1.0" 404 1962 yoursitename.com "-" "-" "-"

This line started popping up in many access logs over the summer, and increased activity was reported in October. I'm assuming that this is generated by an automated scanner of some sort, but I haven't actually been able to confirm whether this is being done by a program or manually by specific individuals.

Regardless, this is an information gathering technique. The "/sumthin" is used to intentionally trigger a 404 error. If you haven't modified your 404 page (you can find instructions to do so here), or if a hacker telnets to your HTTP port and sends this GET request, this will reveal information about your Web Server type, Version and OS. If you are running an Apache server, add these lines to your httpd.conf file to prevent the server from disclosing this information:



ServerTokens ProductOnly
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (error documents, FTP directory listings,
# mod_status and mod_info output etc., but not CGI generated documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off

Something else i found.
 
Last edited by a moderator:

taivu

Well-Known Member
Nov 22, 2001
65
0
306
I started seeing these "sumthin" requests in November. I simply did:

touch /usr/local/apache/htdocs/sumthin

which created a 0 byte file in the webroot of the server. Now instead of 404 they get 200:

200.195.96.61 - - [13/Feb/2003:23:22:21 +0100] "GET /sumthin HTTP/1.0" 200 0

Seems like that makes them move on, since I don't get any more hits from that same IP after the inicial 4 probes (checked logs since November). Naturally I have also set ServerTokens to "ProductOnly" and ServerSignature to "Off".
 

rpmws

Well-Known Member
Aug 14, 2001
1,822
9
318
back woods of NC, USA
Has anyone else seen these bastards crash a rack of servers, or at least a hand full at the same time? Or have your crashes happened and no one has figured out why? I had this happen 3 times now and I ignored the first 2 becuase I was just happy to get the box back up. This last time it crashed 3 machines on the same noc .. different hardware and all.

BTW I have servertokens off always have. I know for a fact that this same guy (server) has had to crash atleast a couple of other boxes out there.

My symptoms are basically non responsive server that only returns pings. Chkservd doesn't fix it.
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
Great thread everyone!

I made a post a few months ago at WHT about this very thing, unfortunately no one replied. I too, had seen an increase on this 'sumthin' search and thought perhaps it was a precurser to DDoS or some other type Virus.

In checking my httpd.conf file I noticed:

ServerTokens ProductOnly << no mention of this so added it in
ServerSignature On << default setting so changed to Off

My question though, is using 'touch /usr/local/apache/htdocs/sumthin' going to work for "all" accounts -- which are always checked -- or would using Nick's suggestion be better to cover every account on the Server?
 

Website Rob

Well-Known Member
Mar 23, 2002
1,504
1
318
Alberta, Canada
cPanel Access Level
Root Administrator
No, just the 'touch' command.

Then you need to edit your httpd.conf file and scroll (way down) till you see:

NameVirtualHost xx.xx.xx.xx:80 << your main Server IP
Alias /bandwidth/ /usr/local/bandmin/htdocs/
Alias /sumthin /usr/local/apache/htdocs/blankfile << add it here

Decided to answer my own question and figure that edit should grab "all" of the 'sumthin' requests. Feel free to correct if not so.
 

xsenses

Well-Known Member
Aug 29, 2002
233
0
166
Huntington Beach, Ca
I changed 2 things and it now works:
1. I moved it down under the main virtual host entry
2. I think I was entring sumthin/usr rather than sumthin /usr (space)