Evert van Dijk evert at silver-sword.net
Sun Jan 11 17:52:49 WST 2009

it seems that the IP address is hosted in Japan.

whois tells me 
inetnum: -
netname:      JAPAN150
country:      JP
descr:        Japan Network Information Center
role:         Japan Network Information Center
address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address:      Chiyoda-ku, Tokyo 101-0047, Japan
country:      JP

and a reverse DNS tells me that trendmicro are using the specific IP.

dig -x
; <<>> DiG 9.3.4-P1 <<>> -x
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26411
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;     IN      PTR

70.150.in-addr.arpa.    3600    IN      SOA     tmns1.trendmicro.com. dnsadmin.trendmicro.com. 55 60 600 86400 3600

;; Query time: 1058 msec
;; WHEN: Sun Jan 11 17:40:17 2009
;; MSG SIZE  rcvd: 108

Not knowing your set up: is it possible you have the trendmicro antivirus software installed and that this is using a remote service to check websites for malicious code or what ever on the website?

My dealings with Trendmicro is that their products are pretty good so I don't think that it is a dodgy remote host.

good luck

----- Original Message -----
From: "Niffum" <bulkniffum at iinet.net.au>
To: plug at plug.org.au
Sent: Sunday, 11 January, 2009 6:38:02 PM GMT +08:00 Perth
Subject: [plug]

A few days ago I was bored so i figured it would be a nice waste of 
time to go through my webserver log's... and i found that a 
particular IP address had been hammering what would appear to be 
random sites on my webserver.

A typical log entry would be something like: - - [11/Jan/2009:18:26:28 +0900] "GET 
HTTP/1.0" 404 91 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

I have been monitoring this IP address for a little while now and I 
have noticed something very odd.  I open up Firefox and go to my 
local webserver.  I open my cacti web pages and have a look at the 
pretty graphs.  I then walk away and do something random.  When i 
come back, there is an entry in the apache access log which is 
exactly the same as the one I was looking at.

I thought maybe it was some kind of google bot which was getting its 
information from the referer that firefox was sending out so i 
permanently set that to www.fbi.gov, but that made no difference.

This has been happening, for over a year apparently.

I'm not even sure what to google.  Has any one seen this kind of thing before?

PLUG discussion list: plug at plug.org.au
Committee e-mail: committee at plug.linux.org.au


Evert van Dijk BBus (MIS & e-Commerce)
PgCert (Computer Security), PgDip (Internet Security)
0418 919 902
evert at silver-sword.net

More information about the plug mailing list