The 'sumthin' exploit
There is an increase with this 'sumthin' search and can "potentially" help someone to initiate a successful attack on a Server.
How?
It returns a "404 error page" and this usually provides information on Server OS and other Software being used by the Server. This information can then be used to determine if the Server is using software that has known security holes or bugs.
http://online.securityfocus.com/archive/75/309924
In checking my httpd.conf file I noticed:
ServerSignature On << default setting so changed to Off
ServerTokens ProductOnly << no mention of this so added it in
In Shell:
# touch /usr/local/apache/htdocs/blankfile << or whatever path to "htdocs" for your Server setup
Then you need to open your httpd.conf file and scroll (way down) till you see:
NameVirtualHost xx.xx.xx.xx:80 << your main Server IP
Alias /bandwidth/ /usr/local/bandmin/htdocs/
Alias /sumthin /usr/local/apache/htdocs/blankfile << add it here
(if you are not using WHM the line placement can be anywhere. Actually, it can probably be put anywhere no matter what Control Panel you use, some of us just like to keep these "Alias" entries together when we can.
)The "blank" page addition and "Alias" re-direction, will grab "all" of the 'sumthin' requests and return a "200 page found" result. As no error or error page is generated, they cannot determine what Software software is being used.
As this work-around will become known to those who use the 'sumthin' approach, one must keep there eyes open for 404 returns matching any one word used constantly.
It is also a good idea for "anyone" who has the ability within their hosting account, to create customized error pages. The main ones would be: 400, 401, 403, 404, 500.
One more tool we can use on our Servers to help beef up Security -- just that little bit more.
