Web Server Probe Confusion

Discussion in 'Computer Security' started by Pete, Dec 3, 2004.

  1. Pete

    Pete Guest

    Hello all,

    As is normally the case with just about any Internet-accessible daemon, my
    web server (apache) is receiving probes and attempted hacks on a daily
    basis.

    One in particular is confusing me as the information I've looked up on the
    IP address in question seems to contradict itself.

    First of all, the IP and the probe itself :

    Attempts to use 1 known hacks were logged 2 time(s)
    \\x90\\x90\\x90\\x90

    A total of 1 sites probed the server
    81.103.145.206


    When I perform :

    host 81.103.145.206

    It returns :

    206.145.103.81.in-addr.arpa domain name pointer
    client-463-p-1-lns.glfd.dial.virgin.net.

    But if I WHOIS the IP address, I get :

    inetnum: 81.103.144.0 - 81.103.151.255
    netname: NTL
    descr: NTL Infrastructure - Guildford Datacentre
    country: GB
    admin-c: NNMC1-RIPE
    tech-c: NNMC1-RIPE
    status: ASSIGNED PA
    mnt-by: AS5089-MNT
    remarks: INFRA-AW
    changed: 20021118
    source: RIPE

    route: 81.102.0.0/15
    descr: NTL-UK-IP-BLOCK
    origin: AS5089
    mnt-by: AS5089-MNT
    changed: 20040929
    source: RIPE

    (rest of WHOIS report snipped for brevity)

    So, is it a virgin.net box or is it an NTL box ? I must admit that the IP
    address 'looks very NTL-ish', but I don't understand why 'host' reports it
    as a virgin.net machine.

    Dig, by the way, comes up with nothing.

    Can anyone shed any light on this for me ?

    Thanks for your time and any information you might have.

    Regards,

    Pete.
     
    Pete, Dec 3, 2004
    #1
    1. Advertising

  2. Pete wrote:

    > Hello all,
    >
    > As is normally the case with just about any Internet-accessible daemon, my
    > web server (apache) is receiving probes and attempted hacks on a daily
    > basis.
    >
    > One in particular is confusing me as the information I've looked up on the
    > IP address in question seems to contradict itself.
    >
    > First of all, the IP and the probe itself :
    >
    > Attempts to use 1 known hacks were logged 2 time(s)
    > \\x90\\x90\\x90\\x90
    >
    > A total of 1 sites probed the server
    > 81.103.145.206
    >
    >
    > When I perform :
    >
    > host 81.103.145.206
    >
    > It returns :
    >
    > 206.145.103.81.in-addr.arpa domain name pointer
    > client-463-p-1-lns.glfd.dial.virgin.net.
    >
    > But if I WHOIS the IP address, I get :
    >
    > inetnum: 81.103.144.0 - 81.103.151.255
    > netname: NTL
    > descr: NTL Infrastructure - Guildford Datacentre
    > country: GB
    > admin-c: NNMC1-RIPE
    > tech-c: NNMC1-RIPE
    > status: ASSIGNED PA
    > mnt-by: AS5089-MNT
    > remarks: INFRA-AW
    > changed: 20021118
    > source: RIPE
    >
    > route: 81.102.0.0/15
    > descr: NTL-UK-IP-BLOCK
    > origin: AS5089
    > mnt-by: AS5089-MNT
    > changed: 20040929
    > source: RIPE
    >
    > (rest of WHOIS report snipped for brevity)
    >
    > So, is it a virgin.net box or is it an NTL box ? I must admit that the IP
    > address 'looks very NTL-ish', but I don't understand why 'host' reports it
    > as a virgin.net machine.
    >
    > Dig, by the way, comes up with nothing.
    >
    > Can anyone shed any light on this for me ?
    >
    > Thanks for your time and any information you might have.
    >
    > Regards,
    >
    > Pete.



    The whois command will tell you who "owns" the netblock. But remember, I can
    "rent" subnet space on this netblock. So to anser your question:

    The net block (the IP networks) are registered to NTL. NTL is basicly an
    ISP. However, Virgin has "rented" some IP subnets from NTL. It is kind`a
    like I own a building and lease an office to you. Many dialup companies ISP
    companies do this (AOL, Earthlink, etc, etc).

    I hope that helps you out. If not let me know.

    -- Michael
     
    Michael J. Pelletier, Dec 6, 2004
    #2
    1. Advertising

  3. Pete wrote:

    > Hello all,
    >
    > As is normally the case with just about any Internet-accessible daemon, my
    > web server (apache) is receiving probes and attempted hacks on a daily
    > basis.
    >
    > One in particular is confusing me as the information I've looked up on the
    > IP address in question seems to contradict itself.
    >
    > First of all, the IP and the probe itself :
    >
    > Attempts to use 1 known hacks were logged 2 time(s)
    > \\x90\\x90\\x90\\x90
    >
    > A total of 1 sites probed the server
    > 81.103.145.206
    >
    >
    > When I perform :
    >
    > host 81.103.145.206
    >
    > It returns :
    >
    > 206.145.103.81.in-addr.arpa domain name pointer
    > client-463-p-1-lns.glfd.dial.virgin.net.
    >
    > But if I WHOIS the IP address, I get :
    >
    > inetnum: 81.103.144.0 - 81.103.151.255
    > netname: NTL
    > descr: NTL Infrastructure - Guildford Datacentre
    > country: GB
    > admin-c: NNMC1-RIPE
    > tech-c: NNMC1-RIPE
    > status: ASSIGNED PA
    > mnt-by: AS5089-MNT
    > remarks: INFRA-AW
    > changed: 20021118
    > source: RIPE
    >
    > route: 81.102.0.0/15
    > descr: NTL-UK-IP-BLOCK
    > origin: AS5089
    > mnt-by: AS5089-MNT
    > changed: 20040929
    > source: RIPE
    >
    > (rest of WHOIS report snipped for brevity)
    >
    > So, is it a virgin.net box or is it an NTL box ? I must admit that the IP
    > address 'looks very NTL-ish', but I don't understand why 'host' reports it
    > as a virgin.net machine.
    >
    > Dig, by the way, comes up with nothing.
    >
    > Can anyone shed any light on this for me ?
    >
    > Thanks for your time and any information you might have.
    >
    > Regards,
    >
    > Pete.


    I forgot one thing, If you are going to report the attempted buffer overflow
    http attack, you should make sure you send the exact time it happened
    because this IP appears to be used for dialup (PPP) access....Make sure
    your time is accurate. Do you use NTP?

    -- Michael
     
    Michael J. Pelletier, Dec 6, 2004
    #3
  4. Pete

    Pete Guest

    On 2004-12-06, Michael J. Pelletier <> wrote:

    > I forgot one thing, If you are going to report the attempted buffer overflow
    > http attack, you should make sure you send the exact time it happened
    > because this IP appears to be used for dialup (PPP) access....Make sure
    > your time is accurate. Do you use NTP?


    Michael, thank you very much for the explanations regarding why I was
    getting two different 'owners' of the same IP. It all makes sense now.

    I wasn't going to bother reporting it until it becomes a lot more severe. I
    sometimes get the feeling that this might be a prelude to a much larger
    attack, but then again, it's more likely a bored script-kiddiot or some other lame
    wannabe cracker. I'll take my chances on this one as the server is monitored
    daily and I can hopefully shut it down if things go swirly because of some
    kind of sustained attack.

    Nothing of any value resides on the server except for any web pages that
    are already viewable using a browser. My main machine is firewalled so
    hopefully any successful crack attempt would not go as far as my main machine.
    So that just leaves the server vulnerable to being 'taken over' and used in
    some other kind of attack I guess.

    I don't use NTP as far as I know. I will start the daemon up anyway though.
    Thanks for the tip, and again, thanks for the info on the IP address. Much
    appreciated.

    Regards,

    Pete.

    --
    "Damn it Jim, I'm a sig file not an actor !"
     
    Pete, Dec 6, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary
    Replies:
    0
    Views:
    420
  2. Harry

    Re: Best place for temperature probe?

    Harry, Aug 15, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    498
    anthonyberet
    Aug 16, 2003
  3. h2so4

    Re: Best place for temperature probe?

    h2so4, Aug 15, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    440
    h2so4
    Aug 15, 2003
  4. Harvey Van Sickle

    Query on FTP ?probe?

    Harvey Van Sickle, Dec 4, 2003, in forum: Computer Support
    Replies:
    6
    Views:
    495
    ┬░Mike┬░
    Dec 5, 2003
  5. Andrew Givins

    Life found on Titan by Huygens Probe!!!

    Andrew Givins, Jan 15, 2005, in forum: Computer Support
    Replies:
    15
    Views:
    750
    chrisv
    Jan 18, 2005
Loading...

Share This Page