?
Solved

Possible Hacking

Posted on 2004-09-07
7
Medium Priority
?
194 Views
Last Modified: 2013-12-04
probably not but Im new at this.

Suddenly got a lot of entries in our HTTP Access log for the following IP addresses:

221.232.74.205
221.232.74.102
221.232.77.30

Apparently they are allocated in China - would there be any reason why they are making http requests from within my (small)company.

thanks
0
Comment
Question by:planetnorton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 11996149
IT depends on your company and what it does now doesn't it? Small or Large make no difference overall. You might have something thye want or they could just be practicing how to break in.
0
 
LVL 15

Expert Comment

by:mattisflones
ID: 11996215
Its not in China.. But Australia...
rgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange:   221.0.0.0 - 221.255.255.255
CIDR:       221.0.0.0/8
NetName:    APNIC7
NetHandle:  NET-221-0-0-0-1
Parent:    
NetType:    Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
0
 
LVL 9

Expert Comment

by:jdeclue
ID: 11999607
Most web servers HHTP logs will have "hits" such as these. It is extremly common, as more internet servers have become infected with various viruses, they automatically scan tcp/ip ranges. You will get these.

If you would like to examine it further, review the GET statements in the log, if you are recording these. The information logged can usually tell you if it is just the normal run of the mill traffic, or if there was an attempted exploit. If you want to post them here, for us to review, feel free.

J
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:planetnorton
ID: 12000443
Thanks for your feedback, the log report is from my VPN, a routefinder, and looking back through it there seems to be a lot of them. An example is shown below:

Web User Access Reports

Period:  2004Sep06-2004Sep07
User:  221.232.67.186
Sort:  BYTES, reverse
User Report
 
partner.search.sohu.com  
union.3721.com
 
TOTAL 37 149.758 0.10% 0.00% 100.00% 00:01:01 61.775 0.19%
AVERAGE 1 4.907.695    00:16:50 1.010.564 3.13%


0
 
LVL 9

Expert Comment

by:jdeclue
ID: 12000611
Are you running a web server? If so then you may want to turn on extended logging for a day, and review the GET statements. You would be surprised by how many attempts are made against web servers on an average day. The best thing you can do is stay on top of patches and seperate your web servers from you internal network with a DMZ.

J
0
 

Author Comment

by:planetnorton
ID: 12004702
Logs for the ip accesses.

thanks

1094589311.344   1915 221.232.67.186 TCP_MISS/200 4141 GET http://union.3721.com/cust.js? - DIRECT/202.165.102.144 text/html
1094589317.835   1712 221.232.67.186 TCP_MISS/200 6377 GET http://partner.search.sohu.com/cpc/partner.php? - DIRECT/61.135.134.99 text/html

0
 
LVL 9

Accepted Solution

by:
jdeclue earned 1200 total points
ID: 12005782
It appears that the machines outside are requesting specific pages and you have a caching proxy that cannot return them, becuase they do not exist. These entries look pretty benign. I took a look at the partner.search (site), without going there, and it appears to be a search engine, so you most likely were just getting crawled.

J
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month12 days, 5 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question