[plug] 150.70.84.43

Evert van Dijk evert at silver-sword.net
Sun Jan 11 17:55:35 WST 2009


I just realised that the reverse dns entry can be set to be a false address pretty easily so someone might be using this to look legitimate.


----- Original Message -----
From: "Evert van Dijk" <evert at silver-sword.net>
To: plug at plug.org.au
Sent: Sunday, 11 January, 2009 5:52:49 PM GMT +08:00 Perth
Subject: Re: [plug] 150.70.84.43


it seems that the IP address is hosted in Japan.

whois tells me 
whois 150.70.84.43
inetnum:      150.26.0.0 - 150.100.255.255
netname:      JAPAN150
country:      JP
descr:        Japan Network Information Center
   <snip>
role:         Japan Network Information Center
address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
address:      Chiyoda-ku, Tokyo 101-0047, Japan
country:      JP
   <snip>

and a reverse DNS tells me that trendmicro are using the specific IP.

dig -x 150.70.84.43
; <<>> DiG 9.3.4-P1 <<>> -x 150.70.84.43
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26411
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;43.84.70.150.in-addr.arpa.     IN      PTR

;; AUTHORITY SECTION:
70.150.in-addr.arpa.    3600    IN      SOA     tmns1.trendmicro.com. dnsadmin.trendmicro.com. 55 60 600 86400 3600

;; Query time: 1058 msec
;; SERVER: 10.1.1.100#53(10.1.1.100)
;; WHEN: Sun Jan 11 17:40:17 2009
;; MSG SIZE  rcvd: 108


Not knowing your set up: is it possible you have the trendmicro antivirus software installed and that this is using a remote service to check websites for malicious code or what ever on the website?

My dealings with Trendmicro is that their products are pretty good so I don't think that it is a dodgy remote host.

good luck


----- Original Message -----
From: "Niffum" <bulkniffum at iinet.net.au>
To: plug at plug.org.au
Sent: Sunday, 11 January, 2009 6:38:02 PM GMT +08:00 Perth
Subject: [plug] 150.70.84.43

A few days ago I was bored so i figured it would be a nice waste of 
time to go through my webserver log's... and i found that a 
particular IP address had been hammering what would appear to be 
random sites on my webserver.

A typical log entry would be something like:
150.70.84.43 - - [11/Jan/2009:18:26:28 +0900] "GET 
/cacti/graph_image.php?local_graph_id=368&rra_id=0&view_type=tree&graph_start=1231579396&graph_end=1231665796 
HTTP/1.0" 404 91 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

I have been monitoring this IP address for a little while now and I 
have noticed something very odd.  I open up Firefox and go to my 
local webserver.  I open my cacti web pages and have a look at the 
pretty graphs.  I then walk away and do something random.  When i 
come back, there is an entry in the apache access log which is 
exactly the same as the one I was looking at.

I thought maybe it was some kind of google bot which was getting its 
information from the referer that firefox was sending out so i 
permanently set that to www.fbi.gov, but that made no difference.

This has been happening, for over a year apparently.

I'm not even sure what to google.  Has any one seen this kind of thing before?







_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au


-- 
Regards

Evert van Dijk BBus (MIS & e-Commerce)
PgCert (Computer Security), PgDip (Internet Security)
0418 919 902
evert at silver-sword.net
http://www.silver-sword.net
http://www.linkedin.com/in/evertvandijk

_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au


-- 
Regards

Evert van Dijk BBus (MIS & e-Commerce)
PgCert (Computer Security), PgDip (Internet Security)
0418 919 902
evert at silver-sword.net
http://www.silver-sword.net
http://www.linkedin.com/in/evertvandijk


More information about the plug mailing list