Security Incidents: RE: HTTP Probe by Webserver

[Andrew Blevins <ABlevins () arrowheadgrp com>]

Alan,
It looks to be an NT 4.0 web server running FTP, HTTP, HTTPS, and Proxy. Its
ridiculously wide-open (you could easily use it as a file-server from the
Internet), and I would assume that someone is using it as a jumping off
point. 

Andrew Blevins



-----Original Message-----
From: Alan Wright [mailto:AlanJWright () manx net]
Sent: Wednesday, October 10, 2001 3:31 PM
To: incidents () securityfocus com
Subject: HTTP Probe by Webserver


Dear All

I have noticed tonight that BlackIce Defender has flagged up an Http probe 
from a webserver @195.10.146.197.
This comes back as a Finnish IP.
Anyone know if the server has been compromised and is randomly probing or 
is someone using it as a jump off point for some probing

Any help would be gratefully received.



All the best

Alan

{ Alan J Wright B.Sc(Hons)(Open)}
{SMS or Phone +447624462772}



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com