| View previous topic :: View next topic |
| Author |
Message |
PHILLIPO
-
Joined: 29 Jul 2005
Posts: 9
Location: SOUTHWEST UK
|
 Posted: Thu Oct 20, 2005 9:27 am Post subject: ISP SPYING? |
 |
|
When I look at my server log, it consistently contains entries from an IP address which is similar to mine, the latest one being
82.45.5.161 - - [19/Oct/2005:20:52:39 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
The first part of the IP (82.45) is the same as mine, these are always met with a 404. I have these everyday with varying IP numbers which ALL start with 82.45. Is this someone or something from my ISP? |
|
| Back to top |
  |
 |
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Thu Oct 20, 2005 9:36 am Post subject: |
|
|
This sounds like someone is trying to get into your server by accessing a file that isnt there. It is most likely the same person. You should enable anti hacking so after numerous 404's in a time period it blocks the user.
This should prevent this happening again.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
 |
|
PHILLIPO
-
Joined: 29 Jul 2005
Posts: 9
Location: SOUTHWEST UK
|
| Posted: Thu Oct 20, 2005 9:47 am Post subject: |
|
|
How come there are so many different IP no's?,..... look!
82.45.3.243 - - [04/Oct/2005:20:10:09 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [04/Oct/2005:21:14:10 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [04/Oct/2005:22:30:54 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [04/Oct/2005:22:32:30 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.251.43 - - [05/Oct/2005:12:47:28 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.6.74 - - [05/Oct/2005:13:04:26 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.44.97.75 - - [05/Oct/2005:13:24:18 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.6.74 - - [05/Oct/2005:20:29:52 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [05/Oct/2005:20:52:45 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.6.74 - - [06/Oct/2005:01:36:25 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [06/Oct/2005:16:18:08 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [06/Oct/2005:17:04:51 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [06/Oct/2005:17:47:23 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [06/Oct/2005:18:25:34 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [06/Oct/2005:19:07:17 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [06/Oct/2005:21:48:22 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [06/Oct/2005:21:48:25 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" "" |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Thu Oct 20, 2005 9:51 am Post subject: |
|
|
They will have a dynamic IP, an IP that changes every time they connect to the internet.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
PHILLIPO
-
Joined: 29 Jul 2005
Posts: 9
Location: SOUTHWEST UK
|
| Posted: Thu Oct 20, 2005 10:13 am Post subject: |
|
|
sorry for being so persistent here and I really aint trying to teach you how to suck eggs but I am on a dynamic IP
82.45.6.74 - - [05/Oct/2005:20:29:52 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
82.45.3.243 - - [05/Oct/2005:20:52:45 +0100] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 234 "" ""
but not THAT dynamic!!
are you suggesting dial-up? - to disconnect and re-dial repeatedly seems a bit drastic to attempt some form of hack on lil' ol me, with nothing more interesting than some yuh-gi-oh stuff of my sons to access. |
|
| Back to top |
|
|
AbyssUnderground
-
Joined: 31 Dec 2004
Posts: 3855
|
| Posted: Thu Oct 20, 2005 10:22 am Post subject: |
|
|
Dynamic means Dynamic. It can change to anything within the ISP's IP Range. The person doing this is either a rookie hacker or this person has spyware and is unaware that this is happening.
My suggestion is to either use anti hacking or stop the server for a few days and see if it stops.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
| Back to top |
|
|
PHILLIPO
-
Joined: 29 Jul 2005
Posts: 9
Location: SOUTHWEST UK
|
| Posted: Thu Oct 20, 2005 11:14 am Post subject: |
|
|
| OK...thanks for all your help |
|
| Back to top |
|
|
Arctic
-
Joined: 24 Sep 2004
Posts: 560
|
| Posted: Thu Oct 20, 2005 1:49 pm Post subject: |
|
|
I'd say that someone is just spamming you, what you really could do is ban their IP range.
82.45.---.---
The --- is the number that always changes. You can assume it's the same person. Just ban the IP. |
|
| Back to top |
 |
|
Anonymoose
-
Joined: 09 Sep 2003
Posts: 2192
|
| Posted: Thu Oct 20, 2005 4:11 pm Post subject: |
|
|
It is a worm. It is not 'most likely the same person'. There are still hundreds of thousands of PC's connected to the net infected with worms searching for IIS servers - or more specifically in this example, IIS servers running very old versions of the Frontpage extensions - to infect. The fp30reg.dll exploit was discovered in November 2003...
Since Abyss does not support Frontpage extensions, and the URL is a 404 anyway, ignore it.
_________________
"Invent an idiot proof webserver and they'll invent a better idiot..." |
|
| Back to top |
|
|
|
