Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)
-   -   Web Server Probe Confusion (http://www.velocityreviews.com/forums/t306150-web-server-probe-confusion.html)

Pete 12-03-2004 09:22 AM
Web Server Probe Confusion
 
Hello all,

As is normally the case with just about any Internet-accessible daemon, my
web server (apache) is receiving probes and attempted hacks on a daily
basis.

One in particular is confusing me as the information I've looked up on the
IP address in question seems to contradict itself.

First of all, the IP and the probe itself :

Attempts to use 1 known hacks were logged 2 time(s)
\\x90\\x90\\x90\\x90

A total of 1 sites probed the server
81.103.145.206


When I perform :

host 81.103.145.206

It returns :

206.145.103.81.in-addr.arpa domain name pointer
client-463-p-1-lns.glfd.dial.virgin.net.

But if I WHOIS the IP address, I get :

inetnum: 81.103.144.0 - 81.103.151.255
netname: NTL
descr: NTL Infrastructure - Guildford Datacentre
country: GB
admin-c: NNMC1-RIPE
tech-c: NNMC1-RIPE
status: ASSIGNED PA
mnt-by: AS5089-MNT
remarks: INFRA-AW
changed: hostmaster@ntli.net 20021118
source: RIPE

route: 81.102.0.0/15
descr: NTL-UK-IP-BLOCK
origin: AS5089
mnt-by: AS5089-MNT
changed: hostmaster@ntli.net 20040929
source: RIPE

(rest of WHOIS report snipped for brevity)

So, is it a virgin.net box or is it an NTL box ? I must admit that the IP
address 'looks very NTL-ish', but I don't understand why 'host' reports it
as a virgin.net machine.

Dig, by the way, comes up with nothing.

Can anyone shed any light on this for me ?

Thanks for your time and any information you might have.

Regards,

Pete.

Michael J. Pelletier 12-06-2004 03:36 AM
Re: Web Server Probe Confusion
 
Pete wrote:

> Hello all,
>
> As is normally the case with just about any Internet-accessible daemon, my
> web server (apache) is receiving probes and attempted hacks on a daily
> basis.
>
> One in particular is confusing me as the information I've looked up on the
> IP address in question seems to contradict itself.
>
> First of all, the IP and the probe itself :
>
> Attempts to use 1 known hacks were logged 2 time(s)
> \\x90\\x90\\x90\\x90
>
> A total of 1 sites probed the server
> 81.103.145.206
>
>
> When I perform :
>
> host 81.103.145.206
>
> It returns :
>
> 206.145.103.81.in-addr.arpa domain name pointer
> client-463-p-1-lns.glfd.dial.virgin.net.
>
> But if I WHOIS the IP address, I get :
>
> inetnum: 81.103.144.0 - 81.103.151.255
> netname: NTL
> descr: NTL Infrastructure - Guildford Datacentre
> country: GB
> admin-c: NNMC1-RIPE
> tech-c: NNMC1-RIPE
> status: ASSIGNED PA
> mnt-by: AS5089-MNT
> remarks: INFRA-AW
> changed: hostmaster@ntli.net 20021118
> source: RIPE
>
> route: 81.102.0.0/15
> descr: NTL-UK-IP-BLOCK
> origin: AS5089
> mnt-by: AS5089-MNT
> changed: hostmaster@ntli.net 20040929
> source: RIPE
>
> (rest of WHOIS report snipped for brevity)
>
> So, is it a virgin.net box or is it an NTL box ? I must admit that the IP
> address 'looks very NTL-ish', but I don't understand why 'host' reports it
> as a virgin.net machine.
>
> Dig, by the way, comes up with nothing.
>
> Can anyone shed any light on this for me ?
>
> Thanks for your time and any information you might have.
>
> Regards,
>
> Pete.


The whois command will tell you who "owns" the netblock. But remember, I can
"rent" subnet space on this netblock. So to anser your question:

The net block (the IP networks) are registered to NTL. NTL is basicly an
ISP. However, Virgin has "rented" some IP subnets from NTL. It is kind`a
like I own a building and lease an office to you. Many dialup companies ISP
companies do this (AOL, Earthlink, etc, etc).

I hope that helps you out. If not let me know.

-- Michael

Michael J. Pelletier 12-06-2004 03:39 AM
Re: Web Server Probe Confusion
 
Pete wrote:

> Hello all,
>
> As is normally the case with just about any Internet-accessible daemon, my
> web server (apache) is receiving probes and attempted hacks on a daily
> basis.
>
> One in particular is confusing me as the information I've looked up on the
> IP address in question seems to contradict itself.
>
> First of all, the IP and the probe itself :
>
> Attempts to use 1 known hacks were logged 2 time(s)
> \\x90\\x90\\x90\\x90
>
> A total of 1 sites probed the server
> 81.103.145.206
>
>
> When I perform :
>
> host 81.103.145.206
>
> It returns :
>
> 206.145.103.81.in-addr.arpa domain name pointer
> client-463-p-1-lns.glfd.dial.virgin.net.
>
> But if I WHOIS the IP address, I get :
>
> inetnum: 81.103.144.0 - 81.103.151.255
> netname: NTL
> descr: NTL Infrastructure - Guildford Datacentre
> country: GB
> admin-c: NNMC1-RIPE
> tech-c: NNMC1-RIPE
> status: ASSIGNED PA
> mnt-by: AS5089-MNT
> remarks: INFRA-AW
> changed: hostmaster@ntli.net 20021118
> source: RIPE
>
> route: 81.102.0.0/15
> descr: NTL-UK-IP-BLOCK
> origin: AS5089
> mnt-by: AS5089-MNT
> changed: hostmaster@ntli.net 20040929
> source: RIPE
>
> (rest of WHOIS report snipped for brevity)
>
> So, is it a virgin.net box or is it an NTL box ? I must admit that the IP
> address 'looks very NTL-ish', but I don't understand why 'host' reports it
> as a virgin.net machine.
>
> Dig, by the way, comes up with nothing.
>
> Can anyone shed any light on this for me ?
>
> Thanks for your time and any information you might have.
>
> Regards,
>
> Pete.

I forgot one thing, If you are going to report the attempted buffer overflow
http attack, you should make sure you send the exact time it happened
because this IP appears to be used for dialup (PPP) access....Make sure
your time is accurate. Do you use NTP?

-- Michael

Pete 12-06-2004 07:46 AM
Re: Web Server Probe Confusion
 
On 2004-12-06, Michael J. Pelletier <mjpelletier@mjpelletier.com> wrote:

> I forgot one thing, If you are going to report the attempted buffer overflow
> http attack, you should make sure you send the exact time it happened
> because this IP appears to be used for dialup (PPP) access....Make sure
> your time is accurate. Do you use NTP?

Michael, thank you very much for the explanations regarding why I was
getting two different 'owners' of the same IP. It all makes sense now.

I wasn't going to bother reporting it until it becomes a lot more severe. I
sometimes get the feeling that this might be a prelude to a much larger
attack, but then again, it's more likely a bored script-kiddiot or some other lame
wannabe cracker. I'll take my chances on this one as the server is monitored
daily and I can hopefully shut it down if things go swirly because of some
kind of sustained attack.

Nothing of any value resides on the server except for any web pages that
are already viewable using a browser. My main machine is firewalled so
hopefully any successful crack attempt would not go as far as my main machine.
So that just leaves the server vulnerable to being 'taken over' and used in
some other kind of attack I guess.

I don't use NTP as far as I know. I will start the daemon up anyway though.
Thanks for the tip, and again, thanks for the info on the IP address. Much
appreciated.

Regards,

Pete.

--
"Damn it Jim, I'm a sig file not an actor !"


All times are GMT. The time now is 08:06 AM.

Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57