Security Incidents mailing list archives

Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3

From: "Humes, David G." <David.Humes () jhuapl edu>
Date: Fri, 9 Jul 2004 15:01:41 -0400

Starting around July 8th we noticed workstations trying to access
67.109.249.3 on port 80 and do a

GET /download/IEService215.chm HTTP/1.1

Analysis of the users' browsing activity did not reveal any pattern that
would suggest that the activity was user-initiated.  We suspect that this is
something trying to "phone home", but not sure quite what.  A reverse lookup
of the IP just returns 67.109.249.3.ptr.us.xo.net, and whois just tells me
that it belongs to XO.  Has anyone else seen this and know what it is?

Thanks.

--Dave

Current thread:

Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Humes, David G. (Jul 09)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Paul Schmehl (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Andy (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Paul Schmehl (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 fr om 67.109.249.3 Ronaldo C Vasconcellos (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Thor Larholm (Jul 12)
- Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Axel Pettinger (Jul 12)
  - Re: Workstations trying to GET /download/IEService215.chm HTTP/1.1 from 67.109.249.3 Matthew Jonkman (Jul 12)