The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

GET /sumthin DOS has crashed 3 boxes 2 times in last week

Discussion in 'General Discussion' started by rpmws, Feb 24, 2003.

  1. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Hi guys ..I need some help.

    This isn't a cpanel issue but I can't find much on it. I get several sessions of this below from a hand full of IP's every day. Today I got hammered by 5 IP's at the same time. Crashed the box. My question ... has anyone else ceen this? every box I look into has this is the access_log. I have a list of about 30 IP's that have done this to us. I tried putting them in /etc/hosts.deny and rebooted. I also tried putting another box main IP in there just to test if I could connect from that machine. It didn't seem to work (I could still connect from that IP using SSH) . Is this method of blocking Ips' work? what do you suggest?


    61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
    61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
    61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
    61.115.7.131 - - [10/Feb/2003:17:32:15 -0500] "GET /sumthin HTTP/1.0" 404 -
    61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
    61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
    61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
    61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
    61.115.7.131 - - [10/Feb/2003:17:32:16 -0500] "GET /sumthin HTTP/1.0" 404 -
    61.115.7.131 - - [10/Feb/2003:17:32:17 -0500] "GET /sumthin HTTP/1.0" 404 -
     
    #1 rpmws, Feb 24, 2003
    Last edited: Feb 24, 2003
  2. ozzi4648

    ozzi4648 Guest

    Placing this ip in deny.hosts will not stop them. Don't you have a firewall? I hope for your sake you do because you can simply plop the ip 61.115.7.0 into your firewall and the rest is all she wrote.
     
    #2 ozzi4648, Feb 24, 2003
    Last edited by a moderator: Feb 24, 2003
  3. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
  4. ozzi4648

    ozzi4648 Guest

    If it makes you happy i get sumthin logs daily but not that many. So let me read that link.
     
  5. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    I know you do ..everyone does. But the returned apache info may be stored and used later for exploits. My servers have completely become non responsive right after these hits. Not every time but 3 times now on more than one box and the last time 2 boxes together ..same IP's waer hitting both machines.

    SF articles maybe slapper from infected boxes but that's no worm in that thread above.
     
  6. ozzi4648

    ozzi4648 Guest

    http://www.dshield.org/pipermail/list/2002-December/001940.html

    GET /sumthin
    GET /sumthin HTTP/1.0" 404 1962 yoursitename.com "-" "-" "-"

    This line started popping up in many access logs over the summer, and increased activity was reported in October. I'm assuming that this is generated by an automated scanner of some sort, but I haven't actually been able to confirm whether this is being done by a program or manually by specific individuals.

    Regardless, this is an information gathering technique. The "/sumthin" is used to intentionally trigger a 404 error. If you haven't modified your 404 page (you can find instructions to do so here), or if a hacker telnets to your HTTP port and sends this GET request, this will reveal information about your Web Server type, Version and OS. If you are running an Apache server, add these lines to your httpd.conf file to prevent the server from disclosing this information:



    ServerTokens ProductOnly
    # Optionally add a line containing the server version and virtual host
    # name to server-generated pages (error documents, FTP directory listings,
    # mod_status and mod_info output etc., but not CGI generated documents).
    # Set to "EMail" to also include a mailto: link to the ServerAdmin.
    # Set to one of: On | Off | EMail
    ServerSignature Off

    Something else i found.
     
    #6 ozzi4648, Feb 24, 2003
    Last edited by a moderator: Feb 24, 2003
  7. taivu

    taivu Well-Known Member

    Joined:
    Nov 22, 2001
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    I started seeing these "sumthin" requests in November. I simply did:

    touch /usr/local/apache/htdocs/sumthin

    which created a 0 byte file in the webroot of the server. Now instead of 404 they get 200:

    200.195.96.61 - - [13/Feb/2003:23:22:21 +0100] "GET /sumthin HTTP/1.0" 200 0

    Seems like that makes them move on, since I don't get any more hits from that same IP after the inicial 4 probes (checked logs since November). Naturally I have also set ServerTokens to "ProductOnly" and ServerSignature to "Off".
     
  8. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi

    So is this the way to go ?
    Also what is this ServerSignature do ?
    Regards,
    Garry
     
  9. taivu

    taivu Well-Known Member

    Joined:
    Nov 22, 2001
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
  10. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    Has anyone else seen these bastards crash a rack of servers, or at least a hand full at the same time? Or have your crashes happened and no one has figured out why? I had this happen 3 times now and I ignored the first 2 becuase I was just happy to get the box back up. This last time it crashed 3 machines on the same noc .. different hardware and all.

    BTW I have servertokens off always have. I know for a fact that this same guy (server) has had to crash atleast a couple of other boxes out there.

    My symptoms are basically non responsive server that only returns pings. Chkservd doesn't fix it.
     
  11. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Try

    touch /usr/local/apache/htdocs/blankfile
    Alias /sumthin /usr/local/apache/htdocs/blankfile
     
  12. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Great thread everyone!

    I made a post a few months ago at WHT about this very thing, unfortunately no one replied. I too, had seen an increase on this 'sumthin' search and thought perhaps it was a precurser to DDoS or some other type Virus.

    In checking my httpd.conf file I noticed:

    ServerTokens ProductOnly << no mention of this so added it in
    ServerSignature On << default setting so changed to Off

    My question though, is using 'touch /usr/local/apache/htdocs/sumthin' going to work for "all" accounts -- which are always checked -- or would using Nick's suggestion be better to cover every account on the Server?
     
  13. silvernetuk

    silvernetuk Well-Known Member

    Joined:
    Sep 2, 2002
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    United Kingdom
    Hi,

    so would I type both these at the ssh command line ?

    Regards,
    Garry
     
  14. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    No, just the 'touch' command.

    Then you need to edit your httpd.conf file and scroll (way down) till you see:

    NameVirtualHost xx.xx.xx.xx:80 << your main Server IP
    Alias /bandwidth/ /usr/local/bandmin/htdocs/
    Alias /sumthin /usr/local/apache/htdocs/blankfile << add it here

    Decided to answer my own question and figure that edit should grab "all" of the 'sumthin' requests. Feel free to correct if not so.
     
  15. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Nick's solution is server wide.

    touch the file in an ssh session and add the alias to httpd.conf restart apache, now it is working for all sites.
     
  16. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    I just tried Nick's way and for some reason apache won't start when I add the Alias. I made sure the blank file was created any ideas?
     
  17. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Did you edit your httpd.conf file the way I suggested or ...?
     
  18. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    I added this: Alias /sumthin /usr/local/apache/htdocs/blankfile
    at the top right under Alias /bandwidth/ /usr/local/bandmin/htdocs/
     
  19. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    From ssh do

    cd /usr/local/apache/bin
    ./apachectl configtest

    That should tell what is wrong.
     
  20. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    I changed 2 things and it now works:
    1. I moved it down under the main virtual host entry
    2. I think I was entring sumthin/usr rather than sumthin /usr (space)
     
Loading...
Similar Threads - sumthin DOS has
  1. hasnisyed
    Replies:
    3
    Views:
    318

Share This Page