[Dshield] RE: [Dshield]What is HTTP get /sumthin ?

Shawn.Wilkerson@Firstdoor.com Shawn.Wilkerson at Firstdoor.com
Fri Nov 8 14:28:08 GMT 2002


404 - file not found
404.1 - site not found

A 404 error is written to the web log when a client's requesting URL string
specifies a file the server cannot find in the location specified.


Here are a few status codes to get you started. I would suggest you review
the RFC link below when you get a chance. It provides all the status codes
currently within the standard
(http://www.w3.org/Protocols/rfc2616/rfc2616.txt)

1xx - Informational

These status codes indicate a provisional response. The client should be
prepared to receive one or more 1xx responses before receiving a regular
response. 
·	100 - Continue. 
·	101 - Switching Protocols.
2xx - Success

This class of status codes indicates that the server successfully accepted
the client request.
·	200 - OK. The client request has succeeded. 
·	201 - Created. 
·	202 - Accepted. 
·	203 - Non-Authoritative Information. 
·	204 - No Content. 
·	205 - Reset Content. 
·	206 - Partial Content.
3xx - Redirection

The client browser must take more action to fulfill the request. For
example, the browser may have to request a different page on the server or
repeat the request by using a proxy server.
·	300 - Multiple choices. 
·	301 - Moved Permanently. 
·	302 - Found. 
·	303 - See Other. 
·	304 - Not Modified. 
·	305 - Use Proxy. 
·	306 - This code is reserved but not used. 
·	307 - Temporary Redirect.
4xx - Client Error

An error occurs, and the client appears to be at fault. For example, the
client may request a page that does not exist, or the client may not provide
valid authentication information.
·	400 - Bad Request. 
·	401 - Access denied. IIS defines a number of different 401 errors
that indicate a more specific cause of the error. These specific error codes
are displayed in the browser but are not displayed in the IIS log:
o	401.1 - Logon failed. 
o	401.2 - Logon failed due to server configuration. 
o	401.3 - Unauthorized due to ACL on resource. 
o	401.4 - Authorization failed by filter. 
o	401.5 - Authorization failed by ISAPI/CGI application.
·	403 - Forbidden. IIS defines a number of different 403 errors that
indicate a more specific cause of the error:
o	403.1 - Execute access forbidden. 
o	403.2 - Read access forbidden. 
o	403.3 - Write access forbidden. 
o	403.4 - SSL required. 
o	403.5 - SSL 128 required. 
o	403.6 - IP address rejected. 
o	403.7 - Client certificate required. 
o	403.8 - Site access denied. 
o	403.9 - Too many users. 
o	403.10 - Invalid configuration. 
o	403.11 - Password change. 
o	403.12 - Mapper denied access. 
o	403.13 - Client certificate revoked. 
o	403.14 - Directory listing denied. 
o	403.15 - Client Access Licenses exceeded. 
o	403.16 - Client certificate untrusted or invalid. 
o	403.17 - Client certificate has expired or is not yet valid.
·	404 - Not found. 
·	404.1 - Site not found. 
·	405 - Method not allowed. 
·	406 - Not acceptable. 
·	407 - Proxy authentication required. 
·	412 - Precondition failed. 
·	414 - Request-URI too long.
5xx - Server Error

The server cannot complete the request because it encounters an error.
·	500 - Internal server error. 
·	500.12 - Application restarting. 
·	500.13 - Server too busy. 
·	500.15 - Requests for GLOBAL.ASA not allowed. 
·	500-100.ASP - ASP error (note that this code occurs with IIS 5.0
only). 
·	501 - Not implemented. 
·	502 - Bad gateway. 
·	503 - Service unavailable. 
·	504 - Gateway timeout. 
·	505 - HTTP version not supported.

Hope this was helpful.

Shawn


-----Original Message-----
From: Jansen, Lise [mailto:Lise.Jansen at qunara.com]
Sent: Thursday, November 07, 2002 3:47 PM
To: list at dshield.org
Subject: [Dshield] RE: [Dshield]What is HTTP get /sumthin ?


I am new to this list and was wondering if someone could provide me with
some info 
on the following line: HTTP looking for /sumthin 404. It is coming up quite
often in my IIS logs. 

Thanks for your Help!
Lise J.  
-----Original Message-----
From: Bob Savage [mailto:bsavage at rnr-inc.com]
Sent: Thursday, November 07, 2002 2:24 PM
To: list at dshield.org
Subject: RE: [Dshield] New IIS directory traversal worm, or just a tool
sig?


One identical to this at the end of September, 2 in late October, 4
since November 1.  No two from the same source.  Looks like Nimda to me,
but you're right, it looks like a different twist.


-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora at phra.com]
Sent: Monday, November 04, 2002 12:50 PM
To: list at dshield.org
Subject: [Dshield] New IIS directory traversal worm, or just a tool sig?


Since Friday, I have seen this from nine different addresses. IIS
directory
traversal attack is on the local system - not an HTTP CONNECT. The
hostname
is being specified as "ww.tk.gov" (not a real public host), but this is
just
window dressing on the attack.

http://ww.tk.gov/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:
\win
nt\system32\cmd.exe+c:\inetpub\scripts\script.exe

Anyone else seen this?

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list