RE: HTTP Probe by Webserver

From: Dean Cunningham (Dean.Cunninghamat_private)
Date: Wed Oct 10 2001 - 18:28:21 PDT

  • Next message: Vince Sola: "RE: HTTP Probe by Webserver"

    Hi Allan,
    The site is running Microsoft-IIS/4.0 on NT4/Windows 98 found
    I get about 3 http requests a second on my firewall from some compromised
    machine on the net to IPs of mine that have no webserver. Due t the volume,
    never bother contacting the "owners of the machine"
    The only way you can find the information you need is to contact the people
    registered as owners of that IP address
    Suggest you email hostmasterat_private and pasi.sutinenat_private and
    ask them nicely why that IP address is interested in your machine.
    I found this information using Sam Spade for Windows
    Here are the details:
    10/11/01 11:44:53 dig @
    Dig ...
    Authoritative Answer
    Recursive queries supported by this server
    Authoritative answer: Host doesn't exist
     Query for type=255 class=1
      146.10.195.IN-ADDR.ARPA SOA (Zone of Authority)
            Primary NS:
            Responsible person: hostmasterat_private
            refresh:21600s (6 hours)
            retry:3600s (60 minutes)
            expire:691200s (8 days)
            minimum-ttl:86400s (24 hours)
    10/11/01 11:44:52 whois
    whois -h ...
    % This is the RIPE Whois server.
    % The objects are in RPSL format.
    % Please visit for more information.
    % Rights restricted by copyright.
    % See
    inetnum: -
    netname:      DSMIKRO
    descr:        DS-Mikro Oy, Imatra, FI
    descr:        Project Department
    country:      FI
    admin-c:      SK401-RIPE
    tech-c:       PS551-RIPE
    status:       ASSIGNED PA
    mnt-by:       AS6793-MNT
    changed:      jorma.mellinat_private 19970211
    changed:      ruokonenat_private 19970705
    changed:      ruokonenat_private 19971016
    source:       RIPE
    descr:        Telia Finland
    origin:       AS6793
    notify:       hostmasterat_private
    mnt-by:       AS6793-MNT
    changed:      jorma.mellinat_private 19970124
    changed:      jorma.mellinat_private 19970409
    changed:      jorma.mellinat_private 19970827
    changed:      ruokonenat_private 19971016
    source:       RIPE
    person:       Seppo Koistinen
    address:      Esterinkatu 11
    address:      55100 IMATRA
    address:      FINLAND
    phone:        +358 5 436 3463
    fax-no:       +358 5 436 3463
    e-mail:       seppo.koistinenat_private
    nic-hdl:      SK401-RIPE
    notify:       jorma.mellinat_private
    changed:      jorma.mellinat_private 19970206
    source:       RIPE
    person:       Pasi Sutinen
    address:      Esterinkatu 11
    address:      55100 IMATRA
    address:      FINLAND
    phone:        +358 5 683 0100
    fax-no:       +358 5 683 0200
    e-mail:       pasi.sutinenat_private
    nic-hdl:      PS551-RIPE
    notify:       pasi.sutinenat_private
    changed:      jorma.mellinat_private 19970205
    changed:      jorma.mellinat_private 19970822
    changed:      ruokonenat_private 19971016
    changed:      ruokonenat_private 19990308
    source:       RIPE
    -----Original Message-----
    From: Alan Wright [mailto:AlanJWrightat_private]
    Sent: Thursday, 11 October 2001 11:31 a.m.
    To: incidentsat_private
    Subject: HTTP Probe by Webserver
    Dear All
    I have noticed tonight that BlackIce Defender has flagged up an Http probe 
    from a webserver @
    This comes back as a Finnish IP.
    Anyone know if the server has been compromised and is randomly probing or 
    is someone using it as a jump off point for some probing
    Any help would be gratefully received.
    All the best
    This e-mail is  not an  official  statement of  the
    Waikato  Regional  Council unless otherwise stated.
    Visit our website
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 08:44:47 PDT