RE: Web server crashed, now is trying to contact an IP by port 80 every morning.

From: Dan Harpold (danharpat_private)
Date: Mon Feb 24 2003 - 17:19:38 PST

Next message: Levinson, Karl: "RE: Web server crashed, now is trying to contact an IP by port 80 every morning."

Previous message: lsi: "Re: Web server crashed, now is trying to contact an IP by port 80 every morning."
Next in thread: Levinson, Karl: "RE: Web server crashed, now is trying to contact an IP by port 80 every morning."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks to everyone. It looks like it is Trend ServerProtect checking for
updates....

-----Original Message-----
From: Steven [mailto:magusbaalat_private] 
Sent: Monday, February 24, 2003 5:41 PM
To: Dan Harpold; incidentsat_private
Subject: RE: Web server crashed, now is trying to contact an IP by port
80 every morning.

Well, a "whois 64.0.96.14" shows:
OrgName:    XO Communications
OrgID:      XOXO
Address:    Corporate Headquarters
Address:    11111 Sunset Hills Road
City:       Reston
StateProv:  VA
PostalCode: 20190-5339
Country:    US

NetRange:   64.0.0.0 - 64.3.255.255
CIDR:       64.0.0.0/14
NetName:    XOXO-BLK-14
NetHandle:  NET-64-0-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: NAMESERVER1.CONCENTRIC.NET
NameServer: NAMESERVER2.CONCENTRIC.NET
NameServer: NAMESERVER3.CONCENTRIC.NET
NameServer: NAMESERVER.CONCENTRIC.NET

If I'm not mistaken, the Automagic Windows Update thing tries to check
for updates every day. Concentric hosts some of the Microsoft updates,
IIRC. Google shows that Concentric does host some Microsoft stuff, so I
think memory is serving me today :). Try disabling the automagic update
and see if that is the source of the traffic. 

Good luck!

Steven

"exitus acta probat"
"fide, sed cui vide"  

-----Original Message-----
From: Dan Harpold [mailto:danharpat_private] 
Sent: Sunday, February 23, 2003 8:20 PM
To: incidentsat_private
Subject: Web server crashed, now is trying to contact an IP by port 80
every morning.

My web server crashed the other day. Got a blue screen and on reboot
NTLDR was missing. I reinstalled and reformatted the drive. Simple W2K
Server with IIS 5 and current service packs. It sits in a DMZ.

Now, each morning (only 2 days so far) at 12:00:45 AM, the machine is
trying to contact an outside server via HTTP. The external request,
which is being blocked by my firewall, is trying to go to 64.0.96.14. It
logs about fifteen attempts over the next ten seconds, then doesn't
appear until the next morning.

Any thoughts?

Dan 

------------------------------------------------------------------------
----

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure">
http://www.securityfocus.com/stillsecure </A>

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Levinson, Karl: "RE: Web server crashed, now is trying to contact an IP by port 80 every morning."
Previous message: lsi: "Re: Web server crashed, now is trying to contact an IP by port 80 every morning."
Next in thread: Levinson, Karl: "RE: Web server crashed, now is trying to contact an IP by port 80 every morning."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 25 2003 - 14:34:38 PST