Yes I agree, but since it came with a ping and only once, I figured it was not a worm but a person on the other end. On Thu, 2002-04-18 at 08:50, Charles R. Anderson wrote:
On Thu, Apr 18, 2002 at 08:39:00AM -0400, Jason Calvert wrote: calvert> It does not really look like some one is trying to break through your calvert> file wall, they are not sending acks or anything strange, they are calvert> simply trying to view content on your httpd server which you are not calvert> running I guess. Have they scanned any other ports?(other than the ICMP calvert> ping?) If I saw an port scan or ack packets I would be more concerned. calvert> If you have a dynamic IP it could be someone trying to return to a site calvert> they were at before... calvert> Usually a break in attempt will cause a lot more traffic that a http calvert> request.
Actually, unsolicited http requests like this are usually viruses like Code Red or Nimda.
Sometimes the IP address doesn't have a DNS reversal. In either case, I like to look them up in ARIN/RIPE/APNIC:
whois 66.189.81.226@whois.arin.net [whois.arin.net] Charter Communications (NETBLK-CHARTER-NET-5BLK) CHARTER-NET-5BLK 66.188.0.0 - 66.191.255.255 Charter Communications (NETBLK-OXFD-MA-66-189-080) OXFD-MA-66-189-080 66.189.80.0 - 66.189.83.255
To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first.
The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information.
whois \!NETBLK-OXFD-MA-66-189-080@whois.arin.net [whois.arin.net] Charter Communications (NETBLK-OXFD-MA-66-189-080) 12405 Powerscourt Dr. St. Louis, MO 63131 US
Netname: OXFD-MA-66-189-080 Netblock: 66.189.80.0 - 66.189.83.255
Coordinator: Charter Communications (ZC119-ARIN) ipaddressing@chartercom.com 314-965-0555
Domain System inverse mapping provided by:
NS1.CHARTER.COM 24.196.241.11 NS2.CHARTER.COM 24.213.60.79
Record last updated on 12-Dec-2001. Database last updated on 17-Apr-2002 19:59:25 EDT.
The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information.
If the results come up with RIPE, redo the query with whois.ripe.net. If the results come up with APNIC, use whois.apnic.net.
-- Charles R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Key ID: 49BB5886 Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886 _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug