planetnorton
asked on
Possible Hacking
probably not but Im new at this.
Suddenly got a lot of entries in our HTTP Access log for the following IP addresses:
221.232.74.205
221.232.74.102
221.232.77.30
Apparently they are allocated in China - would there be any reason why they are making http requests from within my (small)company.
thanks
Suddenly got a lot of entries in our HTTP Access log for the following IP addresses:
221.232.74.205
221.232.74.102
221.232.77.30
Apparently they are allocated in China - would there be any reason why they are making http requests from within my (small)company.
thanks
CrazyOne
IT depends on your company and what it does now doesn't it? Small or Large make no difference overall. You might have something thye want or they could just be practicing how to break in.
Its not in China.. But Australia...
rgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 221.0.0.0 - 221.255.255.255
CIDR: 221.0.0.0/8
NetName: APNIC7
NetHandle: NET-221-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
rgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 221.0.0.0 - 221.255.255.255
CIDR: 221.0.0.0/8
NetName: APNIC7
NetHandle: NET-221-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
Most web servers HHTP logs will have "hits" such as these. It is extremly common, as more internet servers have become infected with various viruses, they automatically scan tcp/ip ranges. You will get these.
If you would like to examine it further, review the GET statements in the log, if you are recording these. The information logged can usually tell you if it is just the normal run of the mill traffic, or if there was an attempted exploit. If you want to post them here, for us to review, feel free.
J
If you would like to examine it further, review the GET statements in the log, if you are recording these. The information logged can usually tell you if it is just the normal run of the mill traffic, or if there was an attempted exploit. If you want to post them here, for us to review, feel free.
J
ASKER
Thanks for your feedback, the log report is from my VPN, a routefinder, and looking back through it there seems to be a lot of them. An example is shown below:
Web User Access Reports
Period: 2004Sep06-2004Sep07
User: 221.232.67.186
Sort: BYTES, reverse
User Report
partner.search.sohu.com
union.3721.com
TOTAL 37 149.758 0.10% 0.00% 100.00% 00:01:01 61.775 0.19%
AVERAGE 1 4.907.695 00:16:50 1.010.564 3.13%
Web User Access Reports
Period: 2004Sep06-2004Sep07
User: 221.232.67.186
Sort: BYTES, reverse
User Report
partner.search.sohu.com
union.3721.com
TOTAL 37 149.758 0.10% 0.00% 100.00% 00:01:01 61.775 0.19%
AVERAGE 1 4.907.695 00:16:50 1.010.564 3.13%
Are you running a web server? If so then you may want to turn on extended logging for a day, and review the GET statements. You would be surprised by how many attempts are made against web servers on an average day. The best thing you can do is stay on top of patches and seperate your web servers from you internal network with a DMZ.
J
J
ASKER
Logs for the ip accesses.
thanks
1094589311.344 1915 221.232.67.186 TCP_MISS/200 4141 GET http://union.3721.com/cust.js? - DIRECT/202.165.102.144 text/html
1094589317.835 1712 221.232.67.186 TCP_MISS/200 6377 GET http://partner.search.sohu.com/cpc/partner.php? - DIRECT/61.135.134.99 text/html
thanks
1094589311.344 1915 221.232.67.186 TCP_MISS/200 4141 GET http://union.3721.com/cust.js? - DIRECT/202.165.102.144 text/html
1094589317.835 1712 221.232.67.186 TCP_MISS/200 6377 GET http://partner.search.sohu.com/cpc/partner.php? - DIRECT/61.135.134.99 text/html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.