Hi Allan, The site 195.10.146.197 is running Microsoft-IIS/4.0 on NT4/Windows 98 found from www.netcraft.com I get about 3 http requests a second on my firewall from some compromised machine on the net to IPs of mine that have no webserver. Due t the volume, never bother contacting the "owners of the machine" The only way you can find the information you need is to contact the people registered as owners of that IP address Suggest you email hostmasterat_private and pasi.sutinenat_private and ask them nicely why that IP address is interested in your machine. I found this information using Sam Spade for Windows www.samspade.org Here are the details: 10/11/01 11:44:53 dig 195.10.146.197 @ 202.36.123.19 Dig 197.146.10.195.in-addr.arpaat_private ... Authoritative Answer Recursive queries supported by this server Authoritative answer: Host doesn't exist Query for 197.146.10.195.in-addr.arpa type=255 class=1 146.10.195.IN-ADDR.ARPA SOA (Zone of Authority) Primary NS: ns1.imatranet.fi Responsible person: hostmasterat_private serial:2000111201 refresh:21600s (6 hours) retry:3600s (60 minutes) expire:691200s (8 days) minimum-ttl:86400s (24 hours) 10/11/01 11:44:52 whois 195.10.146.197at_private whois -h whois.geektools.com 195.10.146.197 ... Query: 195.10.146.197 Registry: whois.ripe.net Results: % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html inetnum: 195.10.145.0 - 195.10.146.255 netname: DSMIKRO descr: DS-Mikro Oy, Imatra, FI descr: Project Department country: FI admin-c: SK401-RIPE tech-c: PS551-RIPE rev-srv: ns1.dsmikro.fi rev-srv: ns1.teliafi.net status: ASSIGNED PA mnt-by: AS6793-MNT changed: jorma.mellinat_private 19970211 changed: ruokonenat_private 19970705 changed: ruokonenat_private 19971016 source: RIPE route: 195.10.128.0/18 descr: Telia Finland origin: AS6793 notify: hostmasterat_private mnt-by: AS6793-MNT changed: jorma.mellinat_private 19970124 changed: jorma.mellinat_private 19970409 changed: jorma.mellinat_private 19970827 changed: ruokonenat_private 19971016 source: RIPE person: Seppo Koistinen address: Esterinkatu 11 address: 55100 IMATRA address: FINLAND phone: +358 5 436 3463 fax-no: +358 5 436 3463 e-mail: seppo.koistinenat_private nic-hdl: SK401-RIPE notify: jorma.mellinat_private changed: jorma.mellinat_private 19970206 source: RIPE person: Pasi Sutinen address: Esterinkatu 11 address: 55100 IMATRA address: FINLAND phone: +358 5 683 0100 fax-no: +358 5 683 0200 e-mail: pasi.sutinenat_private nic-hdl: PS551-RIPE notify: pasi.sutinenat_private changed: jorma.mellinat_private 19970205 changed: jorma.mellinat_private 19970822 changed: ruokonenat_private 19971016 changed: ruokonenat_private 19990308 source: RIPE -----Original Message----- From: Alan Wright [mailto:AlanJWrightat_private] Sent: Thursday, 11 October 2001 11:31 a.m. To: incidentsat_private Subject: HTTP Probe by Webserver Dear All I have noticed tonight that BlackIce Defender has flagged up an Http probe from a webserver @195.10.146.197. This comes back as a Finnish IP. Anyone know if the server has been compromised and is randomly probing or is someone using it as a jump off point for some probing Any help would be gratefully received. All the best Alan *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 08:44:47 PDT