Security Incidents mailing list archives
RE: HTTP Probe by Webserver
From: Dean Cunningham <Dean.Cunningham () ew govt nz>
Date: Thu, 11 Oct 2001 14:28:21 +1300
Hi Allan, The site 195.10.146.197 is running Microsoft-IIS/4.0 on NT4/Windows 98 found from www.netcraft.com I get about 3 http requests a second on my firewall from some compromised machine on the net to IPs of mine that have no webserver. Due t the volume, never bother contacting the "owners of the machine" The only way you can find the information you need is to contact the people registered as owners of that IP address Suggest you email hostmaster () imatranet fi and pasi.sutinen () imatranet fi and ask them nicely why that IP address is interested in your machine. I found this information using Sam Spade for Windows www.samspade.org Here are the details: 10/11/01 11:44:53 dig 195.10.146.197 @ 202.36.123.19 Dig 197.146.10.195.in-addr.arpa@202.36.123.19 ... Authoritative Answer Recursive queries supported by this server Authoritative answer: Host doesn't exist Query for 197.146.10.195.in-addr.arpa type=255 class=1 146.10.195.IN-ADDR.ARPA SOA (Zone of Authority) Primary NS: ns1.imatranet.fi Responsible person: hostmaster () imatranet fi serial:2000111201 refresh:21600s (6 hours) retry:3600s (60 minutes) expire:691200s (8 days) minimum-ttl:86400s (24 hours) 10/11/01 11:44:52 whois 195.10.146.197 () whois geektools com whois -h whois.geektools.com 195.10.146.197 ... Query: 195.10.146.197 Registry: whois.ripe.net Results: % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 195.10.145.0 - 195.10.146.255 netname: DSMIKRO descr: DS-Mikro Oy, Imatra, FI descr: Project Department country: FI admin-c: SK401-RIPE tech-c: PS551-RIPE rev-srv: ns1.dsmikro.fi rev-srv: ns1.teliafi.net status: ASSIGNED PA mnt-by: AS6793-MNT changed: jorma.mellin () ivo fi 19970211 changed: ruokonen () telivo net 19970705 changed: ruokonen () teliafi net 19971016 source: RIPE route: 195.10.128.0/18 descr: Telia Finland origin: AS6793 notify: hostmaster () teliafi net mnt-by: AS6793-MNT changed: jorma.mellin () ivo fi 19970124 changed: jorma.mellin () telivo net 19970409 changed: jorma.mellin () telivo net 19970827 changed: ruokonen () teliafi net 19971016 source: RIPE person: Seppo Koistinen address: Esterinkatu 11 address: 55100 IMATRA address: FINLAND phone: +358 5 436 3463 fax-no: +358 5 436 3463 e-mail: seppo.koistinen () dsmikro fi nic-hdl: SK401-RIPE notify: jorma.mellin () ivo fi changed: jorma.mellin () ivo fi 19970206 source: RIPE person: Pasi Sutinen address: Esterinkatu 11 address: 55100 IMATRA address: FINLAND phone: +358 5 683 0100 fax-no: +358 5 683 0200 e-mail: pasi.sutinen () imatranet fi nic-hdl: PS551-RIPE notify: pasi.sutinen () imatranet fi changed: jorma.mellin () ivo fi 19970205 changed: jorma.mellin () telivo net 19970822 changed: ruokonen () teliafi net 19971016 changed: ruokonen () teliafi net 19990308 source: RIPE -----Original Message----- From: Alan Wright [mailto:AlanJWright () manx net] Sent: Thursday, 11 October 2001 11:31 a.m. To: incidents () securityfocus com Subject: HTTP Probe by Webserver Dear All I have noticed tonight that BlackIce Defender has flagged up an Http probe from a webserver @195.10.146.197. This comes back as a Finnish IP. Anyone know if the server has been compromised and is randomly probing or is someone using it as a jump off point for some probing Any help would be gratefully received. All the best Alan *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- HTTP Probe by Webserver Alan Wright (Oct 10)
- RE: HTTP Probe by Webserver Vince Sola (Oct 11)
- <Possible follow-ups>
- RE: HTTP Probe by Webserver Andrew Blevins (Oct 10)
- RE: HTTP Probe by Webserver Dean Cunningham (Oct 11)