Hi Andreas We saw the same thing here on one of our servers. The strange thing is that 'they' only came on one of our virtual domains (just registered a week ago). Maybe they're checking for Win2k-Servers for statistics? (this one is running NT :-)) Definately not clean, whatever it is! Here's the log-sample: 2002-05-25 11:30:27 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET /Default.aspx - 404 329 315 0 80 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - - 2002-05-25 11:45:51 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET /Default.aspx - 404 329 315 0 80 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - - 2002-05-25 13:07:16 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET /ertdfgderww.aspx - 404 329 319 0 80 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - - 2002-05-25 13:07:16 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET /Default.aspx - 404 329 315 0 80 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - - 2002-05-25 16:06:31 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET /ertdfgderww.aspx - 404 329 319 0 80 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - - ... 2002-05-26 09:38:09 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET /Default.aspx - 404 329 315 0 80 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - - Best regards, Johannes Müller > -----Original Message----- > From: Andreas Wiesmann [mailto:lordandrejat_private] > Sent: Saturday, May 25, 2002 4:36 PM > To: incidentsat_private > Subject: strange .ch scan by 195.141.86.145 > > > Hi, I just noticed a strange scan in the web logs of all .ch and .li > domains. Friends recognized similar scans. So far I dont know what > the purpose of this scan is... MS collection information? > > /www/www.swordlord.ch/access_log:195.141.86.145 - - > [24/May/2002:20:50:05 +0200] "GET > http://www.swordlord.ch/hgfserd.aspx HTTP/1.0" 302 289 "-" > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR > 1.0.3705)" > /www/www.swordlord.ch/access_log:195.141.86.145 - - > [25/May/2002:13:15:26 +0200] "GET > http://www.swordlord.ch/Default.aspx HTTP/1.0" 302 289 "-" > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR > 1.0.3705)" > /www/www.swordlord.ch/access_log:195.141.86.145 - - > [25/May/2002:14:37:35 +0200] "GET > http://www.swordlord.ch/ertdfgderww.aspx HTTP/1.0" 302 289 "-" > "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR > 1.0.3705)" > > > Owner of the IP acording to RIPE is: > inetnum: 195.141.86.144 - 195.141.86.151 > netname: Microsoft-NET > descr: Microsoft AG > descr: Thurgauerstrasse 74 > descr: 8050 Zuerich > country: CH > admin-c: TR8175-RIPE > tech-c: TR8175-RIPE > status: ASSIGNED PA > notify: ip-regat_private > mnt-by: AS6730-MNT > changed: robert.guentenspergerat_private 20010806 > source: RIPE > > cheers, > Andreas > > > ------------------------------------------------------------------ > ---------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 27 2002 - 12:49:18 PDT