[plug] 150.70.84.43
Evert van Dijk
evert at silver-sword.net
Sun Jan 11 17:55:35 WST 2009
I just realised that the reverse dns entry can be set to be a false address pretty easily so someone might be using this to look legitimate.
----- Original Message -----
From: "Evert van Dijk" <evert at silver-sword.net>
To: plug at plug.org.au
Sent: Sunday, 11 January, 2009 5:52:49 PM GMT +08:00 Perth
Subject: Re: [plug] 150.70.84.43
it seems that the IP address is hosted in Japan.
whois tells me
whois 150.70.84.43
inetnum: 150.26.0.0 - 150.100.255.255
netname: JAPAN150
country: JP
descr: Japan Network Information Center
<snip>
role: Japan Network Information Center
address: Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address: Chiyoda-ku, Tokyo 101-0047, Japan
country: JP
<snip>
and a reverse DNS tells me that trendmicro are using the specific IP.
dig -x 150.70.84.43
; <<>> DiG 9.3.4-P1 <<>> -x 150.70.84.43
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26411
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;43.84.70.150.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
70.150.in-addr.arpa. 3600 IN SOA tmns1.trendmicro.com. dnsadmin.trendmicro.com. 55 60 600 86400 3600
;; Query time: 1058 msec
;; SERVER: 10.1.1.100#53(10.1.1.100)
;; WHEN: Sun Jan 11 17:40:17 2009
;; MSG SIZE rcvd: 108
Not knowing your set up: is it possible you have the trendmicro antivirus software installed and that this is using a remote service to check websites for malicious code or what ever on the website?
My dealings with Trendmicro is that their products are pretty good so I don't think that it is a dodgy remote host.
good luck
----- Original Message -----
From: "Niffum" <bulkniffum at iinet.net.au>
To: plug at plug.org.au
Sent: Sunday, 11 January, 2009 6:38:02 PM GMT +08:00 Perth
Subject: [plug] 150.70.84.43
A few days ago I was bored so i figured it would be a nice waste of
time to go through my webserver log's... and i found that a
particular IP address had been hammering what would appear to be
random sites on my webserver.
A typical log entry would be something like:
150.70.84.43 - - [11/Jan/2009:18:26:28 +0900] "GET
/cacti/graph_image.php?local_graph_id=368&rra_id=0&view_type=tree&graph_start=1231579396&graph_end=1231665796
HTTP/1.0" 404 91 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
I have been monitoring this IP address for a little while now and I
have noticed something very odd. I open up Firefox and go to my
local webserver. I open my cacti web pages and have a look at the
pretty graphs. I then walk away and do something random. When i
come back, there is an entry in the apache access log which is
exactly the same as the one I was looking at.
I thought maybe it was some kind of google bot which was getting its
information from the referer that firefox was sending out so i
permanently set that to www.fbi.gov, but that made no difference.
This has been happening, for over a year apparently.
I'm not even sure what to google. Has any one seen this kind of thing before?
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
--
Regards
Evert van Dijk BBus (MIS & e-Commerce)
PgCert (Computer Security), PgDip (Internet Security)
0418 919 902
evert at silver-sword.net
http://www.silver-sword.net
http://www.linkedin.com/in/evertvandijk
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
--
Regards
Evert van Dijk BBus (MIS & e-Commerce)
PgCert (Computer Security), PgDip (Internet Security)
0418 919 902
evert at silver-sword.net
http://www.silver-sword.net
http://www.linkedin.com/in/evertvandijk
More information about the plug
mailing list