RE: strange .ch scan by 195.141.86.145

["List-Collector" <auto-list () softplus net>]

Hi Andreas

We saw the same thing here on one of our servers. The strange thing is that
'they' only came on one of our virtual domains (just registered a week ago).
Maybe they're checking for Win2k-Servers for statistics? (this one is
running NT :-)) Definately not clean, whatever it is! Here's the log-sample:

2002-05-25 11:30:27 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET
/Default.aspx - 404 329 315 0 80 HTTP/1.0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - -
2002-05-25 11:45:51 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET
/Default.aspx - 404 329 315 0 80 HTTP/1.0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - -
2002-05-25 13:07:16 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET
/ertdfgderww.aspx - 404 329 319 0 80 HTTP/1.0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - -
2002-05-25 13:07:16 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET
/Default.aspx - 404 329 315 0 80 HTTP/1.0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - -
2002-05-25 16:06:31 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET
/ertdfgderww.aspx - 404 329 319 0 80 HTTP/1.0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - -
...
2002-05-26 09:38:09 195.141.86.145 - W3SVC23 WAVE webs.gymplus.ch GET
/Default.aspx - 404 329 315 0 80 HTTP/1.0
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - -

Best regards,

Johannes Müller

> -----Original Message-----
> From: Andreas Wiesmann [mailto:lordandrej () swordlord org]
> Sent: Saturday, May 25, 2002 4:36 PM
> To: incidents () securityfocus com
> Subject: strange .ch scan by 195.141.86.145
>
>
> Hi, I just noticed a strange scan in the web logs of all .ch and .li
> domains. Friends recognized similar scans. So far I dont know what
> the purpose of this scan is... MS collection information?
>
> /www/www.swordlord.ch/access_log:195.141.86.145 - -
> [24/May/2002:20:50:05 +0200] "GET
> http://www.swordlord.ch/hgfserd.aspx HTTP/1.0" 302 289 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
> 1.0.3705)"
> /www/www.swordlord.ch/access_log:195.141.86.145 - -
> [25/May/2002:13:15:26 +0200] "GET
> http://www.swordlord.ch/Default.aspx HTTP/1.0" 302 289 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
> 1.0.3705)"
> /www/www.swordlord.ch/access_log:195.141.86.145 - -
> [25/May/2002:14:37:35 +0200] "GET
> http://www.swordlord.ch/ertdfgderww.aspx HTTP/1.0" 302 289 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
> 1.0.3705)"
>
>
> Owner of the IP acording to RIPE is:
> inetnum:      195.141.86.144 - 195.141.86.151
> netname:      Microsoft-NET
> descr:        Microsoft AG
> descr:        Thurgauerstrasse 74
> descr:        8050 Zuerich
> country:      CH
> admin-c:      TR8175-RIPE
> tech-c:       TR8175-RIPE
> status:       ASSIGNED PA
> notify:       ip-reg () sunrise ch
> mnt-by:       AS6730-MNT
> changed:      robert.guentensperger () sunrise net 20010806
> source:       RIPE
>
> cheers,
> Andreas
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com