RE: HTTP Probe by Webserver

From: Dean Cunningham (Dean.Cunninghamat_private)
Date: Wed Oct 10 2001 - 18:28:21 PDT

  • Next message: Vince Sola: "RE: HTTP Probe by Webserver"

    Hi Allan,
    
    The site 195.10.146.197 is running Microsoft-IIS/4.0 on NT4/Windows 98 found
    from www.netcraft.com
    
    I get about 3 http requests a second on my firewall from some compromised
    machine on the net to IPs of mine that have no webserver. Due t the volume,
    never bother contacting the "owners of the machine"
    
    The only way you can find the information you need is to contact the people
    registered as owners of that IP address
    Suggest you email hostmasterat_private and pasi.sutinenat_private and
    ask them nicely why that IP address is interested in your machine.
    
    I found this information using Sam Spade for Windows www.samspade.org
    
    Here are the details:
    
    10/11/01 11:44:53 dig 195.10.146.197 @ 202.36.123.19
    Dig 197.146.10.195.in-addr.arpaat_private ...
    Authoritative Answer
    Recursive queries supported by this server
    Authoritative answer: Host doesn't exist
     Query for 197.146.10.195.in-addr.arpa type=255 class=1
      146.10.195.IN-ADDR.ARPA SOA (Zone of Authority)
            Primary NS: ns1.imatranet.fi
            Responsible person: hostmasterat_private
            serial:2000111201
            refresh:21600s (6 hours)
            retry:3600s (60 minutes)
            expire:691200s (8 days)
            minimum-ttl:86400s (24 hours)
    
    10/11/01 11:44:52 whois 195.10.146.197at_private
    
    whois -h whois.geektools.com 195.10.146.197 ...
    Query:     195.10.146.197
    Registry:  whois.ripe.net
    Results:
    % This is the RIPE Whois server.
    % The objects are in RPSL format.
    % Please visit http://www.ripe.net/rpsl for more information.
    % Rights restricted by copyright.
    % See http://www.ripe.net/ripencc/pub-services/db/copyright.html
    
    inetnum:      195.10.145.0 - 195.10.146.255
    netname:      DSMIKRO
    descr:        DS-Mikro Oy, Imatra, FI
    descr:        Project Department
    country:      FI
    admin-c:      SK401-RIPE
    tech-c:       PS551-RIPE
    rev-srv:      ns1.dsmikro.fi
    rev-srv:      ns1.teliafi.net
    status:       ASSIGNED PA
    mnt-by:       AS6793-MNT
    changed:      jorma.mellinat_private 19970211
    changed:      ruokonenat_private 19970705
    changed:      ruokonenat_private 19971016
    source:       RIPE
    
    route:        195.10.128.0/18
    descr:        Telia Finland
    origin:       AS6793
    notify:       hostmasterat_private
    mnt-by:       AS6793-MNT
    changed:      jorma.mellinat_private 19970124
    changed:      jorma.mellinat_private 19970409
    changed:      jorma.mellinat_private 19970827
    changed:      ruokonenat_private 19971016
    source:       RIPE
    
    person:       Seppo Koistinen
    address:      Esterinkatu 11
    address:      55100 IMATRA
    address:      FINLAND
    phone:        +358 5 436 3463
    fax-no:       +358 5 436 3463
    e-mail:       seppo.koistinenat_private
    nic-hdl:      SK401-RIPE
    notify:       jorma.mellinat_private
    changed:      jorma.mellinat_private 19970206
    source:       RIPE
    
    person:       Pasi Sutinen
    address:      Esterinkatu 11
    address:      55100 IMATRA
    address:      FINLAND
    phone:        +358 5 683 0100
    fax-no:       +358 5 683 0200
    e-mail:       pasi.sutinenat_private
    nic-hdl:      PS551-RIPE
    notify:       pasi.sutinenat_private
    changed:      jorma.mellinat_private 19970205
    changed:      jorma.mellinat_private 19970822
    changed:      ruokonenat_private 19971016
    changed:      ruokonenat_private 19990308
    source:       RIPE
    
    
    -----Original Message-----
    From: Alan Wright [mailto:AlanJWrightat_private]
    Sent: Thursday, 11 October 2001 11:31 a.m.
    To: incidentsat_private
    Subject: HTTP Probe by Webserver
    
    
    Dear All
    
    I have noticed tonight that BlackIce Defender has flagged up an Http probe 
    from a webserver @195.10.146.197.
    This comes back as a Finnish IP.
    Anyone know if the server has been compromised and is randomly probing or 
    is someone using it as a jump off point for some probing
    
    Any help would be gratefully received.
    
    
    
    All the best
    
    Alan
    ***************************************************
    This e-mail is  not an  official  statement of  the
    Waikato  Regional  Council unless otherwise stated.
    Visit our website http://www.ew.govt.nz
    ***************************************************
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 08:44:47 PDT