Security Incidents mailing list archives

RE: HTTP Probe by Webserver

From: Dean Cunningham <Dean.Cunningham () ew govt nz>
Date: Thu, 11 Oct 2001 14:28:21 +1300
Hi Allan,

The site 195.10.146.197 is running Microsoft-IIS/4.0 on NT4/Windows 98 found
from www.netcraft.com

I get about 3 http requests a second on my firewall from some compromised
machine on the net to IPs of mine that have no webserver. Due t the volume,
never bother contacting the "owners of the machine"

The only way you can find the information you need is to contact the people
registered as owners of that IP address
Suggest you email hostmaster () imatranet fi and pasi.sutinen () imatranet fi and
ask them nicely why that IP address is interested in your machine.

I found this information using Sam Spade for Windows www.samspade.org

Here are the details:

10/11/01 11:44:53 dig 195.10.146.197 @ 202.36.123.19
Dig 197.146.10.195.in-addr.arpa@202.36.123.19 ...
Authoritative Answer
Recursive queries supported by this server
Authoritative answer: Host doesn't exist
 Query for 197.146.10.195.in-addr.arpa type=255 class=1
  146.10.195.IN-ADDR.ARPA SOA (Zone of Authority)
        Primary NS: ns1.imatranet.fi
        Responsible person: hostmaster () imatranet fi
        serial:2000111201
        refresh:21600s (6 hours)
        retry:3600s (60 minutes)
        expire:691200s (8 days)
        minimum-ttl:86400s (24 hours)

10/11/01 11:44:52 whois 195.10.146.197 () whois geektools com

whois -h whois.geektools.com 195.10.146.197 ...
Query:     195.10.146.197
Registry:  whois.ripe.net
Results:
% This is the RIPE Whois server.
% The objects are in RPSL format.
% Please visit http://www.ripe.net/rpsl for more information.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      195.10.145.0 - 195.10.146.255
netname:      DSMIKRO
descr:        DS-Mikro Oy, Imatra, FI
descr:        Project Department
country:      FI
admin-c:      SK401-RIPE
tech-c:       PS551-RIPE
rev-srv:      ns1.dsmikro.fi
rev-srv:      ns1.teliafi.net
status:       ASSIGNED PA
mnt-by:       AS6793-MNT
changed:      jorma.mellin () ivo fi 19970211
changed:      ruokonen () telivo net 19970705
changed:      ruokonen () teliafi net 19971016
source:       RIPE

route:        195.10.128.0/18
descr:        Telia Finland
origin:       AS6793
notify:       hostmaster () teliafi net
mnt-by:       AS6793-MNT
changed:      jorma.mellin () ivo fi 19970124
changed:      jorma.mellin () telivo net 19970409
changed:      jorma.mellin () telivo net 19970827
changed:      ruokonen () teliafi net 19971016
source:       RIPE

person:       Seppo Koistinen
address:      Esterinkatu 11
address:      55100 IMATRA
address:      FINLAND
phone:        +358 5 436 3463
fax-no:       +358 5 436 3463
e-mail:       seppo.koistinen () dsmikro fi
nic-hdl:      SK401-RIPE
notify:       jorma.mellin () ivo fi
changed:      jorma.mellin () ivo fi 19970206
source:       RIPE

person:       Pasi Sutinen
address:      Esterinkatu 11
address:      55100 IMATRA
address:      FINLAND
phone:        +358 5 683 0100
fax-no:       +358 5 683 0200
e-mail:       pasi.sutinen () imatranet fi
nic-hdl:      PS551-RIPE
notify:       pasi.sutinen () imatranet fi
changed:      jorma.mellin () ivo fi 19970205
changed:      jorma.mellin () telivo net 19970822
changed:      ruokonen () teliafi net 19971016
changed:      ruokonen () teliafi net 19990308
source:       RIPE


-----Original Message-----
From: Alan Wright [mailto:AlanJWright () manx net]
Sent: Thursday, 11 October 2001 11:31 a.m.
To: incidents () securityfocus com
Subject: HTTP Probe by Webserver


Dear All

I have noticed tonight that BlackIce Defender has flagged up an Http probe 
from a webserver @195.10.146.197.
This comes back as a Finnish IP.
Anyone know if the server has been compromised and is randomly probing or 
is someone using it as a jump off point for some probing

Any help would be gratefully received.



All the best

Alan
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

HTTP Probe by Webserver Alan Wright (Oct 10)
- RE: HTTP Probe by Webserver Vince Sola (Oct 11)
- <Possible follow-ups>
- RE: HTTP Probe by Webserver Andrew Blevins (Oct 10)
- RE: HTTP Probe by Webserver Dean Cunningham (Oct 11)