Hi Allan, The site 195.10.146.197 is running Microsoft-IIS/4.0 on NT4/Windows 98 found from www.netcraft.com I get about 3 http requests a second on my firewall from some compromised machine on the net to IPs of mine that have no webserver. Due t the volume, never bother contacting the "owners of the machine" The only way you can find the information you need is to contact the people registered as owners of that IP address Suggest you email hostmaster@imatranet.fi and pasi.sutinen@imatranet.fi and ask them nicely why that IP address is interested in your machine. I found this information using Sam Spade for Windows www.samspade.org Here are the details: 10/11/01 11:44:53 dig 195.10.146.197 @ 202.36.123.19 Dig 197.146.10.195.in-addr.arpa@202.36.123.19 ... Authoritative Answer Recursive queries supported by this server Authoritative answer: Host doesn't exist Query for 197.146.10.195.in-addr.arpa type=255 class=1 146.10.195.IN-ADDR.ARPA SOA (Zone of Authority) Primary NS: ns1.imatranet.fi Responsible person: hostmaster@imatranet.fi serial:2000111201 refresh:21600s (6 hours) retry:3600s (60 minutes) expire:691200s (8 days) minimum-ttl:86400s (24 hours) 10/11/01 11:44:52 whois 195.10.146.197@whois.geektools.com whois -h whois.geektools.com 195.10.146.197 ... Query: 195.10.146.197 Registry: whois.ripe.net Results: % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 195.10.145.0 - 195.10.146.255 netname: DSMIKRO descr: DS-Mikro Oy, Imatra, FI descr: Project Department country: FI admin-c: SK401-RIPE tech-c: PS551-RIPE rev-srv: ns1.dsmikro.fi rev-srv: ns1.teliafi.net status: ASSIGNED PA mnt-by: AS6793-MNT changed: jorma.mellin@ivo.fi 19970211 changed: ruokonen@telivo.net 19970705 changed: ruokonen@teliafi.net 19971016 source: RIPE route: 195.10.128.0/18 descr: Telia Finland origin: AS6793 notify: hostmaster@teliafi.net mnt-by: AS6793-MNT changed: jorma.mellin@ivo.fi 19970124 changed: jorma.mellin@telivo.net 19970409 changed: jorma.mellin@telivo.net 19970827 changed: ruokonen@teliafi.net 19971016 source: RIPE person: Seppo Koistinen address: Esterinkatu 11 address: 55100 IMATRA address: FINLAND phone: +358 5 436 3463 fax-no: +358 5 436 3463 e-mail: seppo.koistinen@dsmikro.fi nic-hdl: SK401-RIPE notify: jorma.mellin@ivo.fi changed: jorma.mellin@ivo.fi 19970206 source: RIPE person: Pasi Sutinen address: Esterinkatu 11 address: 55100 IMATRA address: FINLAND phone: +358 5 683 0100 fax-no: +358 5 683 0200 e-mail: pasi.sutinen@imatranet.fi nic-hdl: PS551-RIPE notify: pasi.sutinen@imatranet.fi changed: jorma.mellin@ivo.fi 19970205 changed: jorma.mellin@telivo.net 19970822 changed: ruokonen@teliafi.net 19971016 changed: ruokonen@teliafi.net 19990308 source: RIPE -----Original Message----- From: Alan Wright [mailto:AlanJWright@manx.net] Sent: Thursday, 11 October 2001 11:31 a.m. To: incidents@securityfocus.com Subject: HTTP Probe by Webserver Dear All I have noticed tonight that BlackIce Defender has flagged up an Http probe from a webserver @195.10.146.197. This comes back as a Finnish IP. Anyone know if the server has been compromised and is randomly probing or is someone using it as a jump off point for some probing Any help would be gratefully received. All the best Alan *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 08:44:47 PDT