Strange Log Entries, ARIN APNIC & RIPE

CliveC · Aug 21, 2003

Recently I discovered this in my logs. Note the times and the changing IP addresses. The addresses seem to map back to ARIN APNIC & RIPE. Can anyone shed any light on this?

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2003-08-18 16:26:12 (11:26:12 central time)
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2003-08-18 16:26:12 210.54.216.202 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-bin/formmail.pl - 404 4203 109 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:22 203.96.111.237 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-bin/formmail.cgi - 404 4184 152 0 HTTP/1.0

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:24 210.54.216.202 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-bin/FormMail.pl - 404 4203 109 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:42 195.229.241.235 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-bin/FormMail.cgi - 404 4203 138 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:43 195.229.241.235 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-sys/formmail.pl - 404 4203 137 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:44 195.229.241.235 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-sys/formmail.cgi - 404 4203 138 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:45 195.229.241.235 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-sys/FormMail.pl - 404 4203 137 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:50 195.229.241.235 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-bin/Formmail.pl - 404 4203 137 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:52 195.229.241.235 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-bin/mail.pl - 404 4203 133 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:53 195.229.241.235 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-bin/FORMMAIL.PL - 404 4203 137 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

2003-08-18 16:26:55 210.54.216.202 - W3SVC749 HOMER 65.211.123.68 80 GET /cgi-bin/FormMail.cgi - 404 4203 110 0 HTTP/1.1

http://www.md-fl.com

- -

http://www.md-fl.com/

Clive

http://tubularity.com

kittenhammer · Aug 21, 2003

Looks like something is trawling for a mail script to exploit.

CliveC · Aug 23, 2003

Yes thanks, but my question was about the times and IP addresses.

The activity is clearly related by time and intent but the IP addresses are different and yet they all map back to IP ranges operated by ARIN, APNIC & RIPE. I have noticed identical activity on other sites that I own.

Clive

http://tubularity.com

pansophic · Aug 23, 2003

ARIN, APNIC and RIPE are the centralized databases of IP address assignment, reverse DNS and Internet routing.

These three databases cover the majority, if not all of the assigned IP addresses in the world. They are not the operator of these addresses, they are the administrators of the numbering.

pansophic

CliveC · Aug 24, 2003

pansophic, My research seems to indicate that these IPs are in unassigned ranges.

SEE ALSO:

http://www.webmasterworld.com/forum11/2187.htm

user WILDERNESS seems to be having a similar problem.

Clive

http://tubularity.com

pansophic · Aug 25, 2003

210.54.216.202 =
202.216.54.210.in-addr.arpa domain name pointer 210-54-216-202.ipnets.xtra.co.nz.

203.96.111.237 =
237.111.96.203.in-addr.arpa domain name pointer AKCF1-GGI.xtra.co.nz.

210.54.216.202 =
202.216.54.210.in-addr.arpa domain name pointer 210-54-216-202.ipnets.xtra.co.nz.

195.229.241.235 =
202.216.54.210.in-addr.arpa domain name pointer 210-54-216-202.ipnets.xtra.co.nz.

210.54.216.202 =
202.216.54.210.in-addr.arpa domain name pointer 210-54-216-202.ipnets.xtra.co.nz.

I'd say it looks like you are being scanned from New Zealand. Probably dialup accounts based on the reverse DNS. And I'd throw away what ever you were using for research. A simple 'host' lookup from my machine resolved these.

Try SamSpade.org next time, I'll bet you get a better results for your research.

pansophic

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Strange Log Entries, ARIN APNIC & RIPE

CliveC

Programmer

kittenhammer

Technical User

CliveC

Programmer

pansophic

MIS

CliveC

Programmer

pansophic

MIS

Similar threads

Part and Inventory Search

Sponsor

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Strange Log Entries, ARIN APNIC &amp; RIPE

CliveC

Programmer

kittenhammer

Technical User

CliveC

Programmer

pansophic

MIS

CliveC

Programmer

pansophic

MIS

Similar threads

Log in

Part and Inventory Search

Sponsor

Strange Log Entries, ARIN APNIC & RIPE