Security Incidents mailing list archives

RE: HTTP Probe by Webserver

From: Andrew Blevins <ABlevins () arrowheadgrp com>
Date: Wed, 10 Oct 2001 15:41:45 -0700

Alan,
It looks to be an NT 4.0 web server running FTP, HTTP, HTTPS, and Proxy. Its
ridiculously wide-open (you could easily use it as a file-server from the
Internet), and I would assume that someone is using it as a jumping off
point. 

Andrew Blevins



-----Original Message-----
From: Alan Wright [mailto:AlanJWright () manx net]
Sent: Wednesday, October 10, 2001 3:31 PM
To: incidents () securityfocus com
Subject: HTTP Probe by Webserver


Dear All

I have noticed tonight that BlackIce Defender has flagged up an Http probe 
from a webserver @195.10.146.197.
This comes back as a Finnish IP.
Anyone know if the server has been compromised and is randomly probing or 
is someone using it as a jump off point for some probing

Any help would be gratefully received.



All the best

Alan

{ Alan J Wright B.Sc(Hons)(Open)}
{SMS or Phone +447624462772}



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

HTTP Probe by Webserver Alan Wright (Oct 10)
- RE: HTTP Probe by Webserver Vince Sola (Oct 11)
- <Possible follow-ups>
- RE: HTTP Probe by Webserver Andrew Blevins (Oct 10)
- RE: HTTP Probe by Webserver Dean Cunningham (Oct 11)