Security Incidents mailing list archives
RE: Web server crashed, now is trying to contact an IP by port 80 every morning.
From: "Dan Harpold" <danharp () SeaburyTech com>
Date: Mon, 24 Feb 2003 19:19:38 -0600
Thanks to everyone. It looks like it is Trend ServerProtect checking for updates.... -----Original Message----- From: Steven [mailto:magusbaal () digitalbastards net] Sent: Monday, February 24, 2003 5:41 PM To: Dan Harpold; incidents () seacurityfocus com Subject: RE: Web server crashed, now is trying to contact an IP by port 80 every morning. Well, a "whois 64.0.96.14" shows: OrgName: XO Communications OrgID: XOXO Address: Corporate Headquarters Address: 11111 Sunset Hills Road City: Reston StateProv: VA PostalCode: 20190-5339 Country: US NetRange: 64.0.0.0 - 64.3.255.255 CIDR: 64.0.0.0/14 NetName: XOXO-BLK-14 NetHandle: NET-64-0-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NAMESERVER1.CONCENTRIC.NET NameServer: NAMESERVER2.CONCENTRIC.NET NameServer: NAMESERVER3.CONCENTRIC.NET NameServer: NAMESERVER.CONCENTRIC.NET If I'm not mistaken, the Automagic Windows Update thing tries to check for updates every day. Concentric hosts some of the Microsoft updates, IIRC. Google shows that Concentric does host some Microsoft stuff, so I think memory is serving me today :). Try disabling the automagic update and see if that is the source of the traffic. Good luck! Steven "exitus acta probat" "fide, sed cui vide" -----Original Message----- From: Dan Harpold [mailto:danharp () SeaburyTech com] Sent: Sunday, February 23, 2003 8:20 PM To: incidents () seacurityfocus com Subject: Web server crashed, now is trying to contact an IP by port 80 every morning. My web server crashed the other day. Got a blue screen and on reboot NTLDR was missing. I reinstalled and reformatted the drive. Simple W2K Server with IIS 5 and current service packs. It sits in a DMZ. Now, each morning (only 2 days so far) at 12:00:45 AM, the machine is trying to contact an outside server via HTTP. The external request, which is being blocked by my firewall, is trying to go to 64.0.96.14. It logs about fifteen attempts over the next ten seconds, then doesn't appear until the next morning. Any thoughts? Dan ------------------------------------------------------------------------ ---- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A> ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Web server crashed, now is trying to contact an IP by port 80 every morning. Dan Harpold (Feb 24)
- <Possible follow-ups>
- RE: Web server crashed, now is trying to contact an IP by port 80 every morning. Dan Harpold (Feb 25)