RE: Web server crashed, now is trying to contact an IP by port 80 every morning.

Thanks to everyone. It looks like it is Trend ServerProtect checking for updates....

-----Original Message-----
From: Steven [mailto:magusbaal@digitalbastards.net] Sent: Monday, February 24, 2003 5:41 PM
To: Dan Harpold; incidents@seacurityfocus.com Subject: RE: Web server crashed, now is trying to contact an IP by port 80 every morning.

Well, a "whois 64.0.96.14" shows:
OrgName: XO Communications
OrgID: XOXO
Address: Corporate Headquarters
Address: 11111 Sunset Hills Road
City: Reston
StateProv: VA
PostalCode: 20190-5339
Country: US

NetRange: 64.0.0.0 - 64.3.255.255
CIDR: 64.0.0.0/14

NetName:    XOXO-BLK-14
NetHandle:  NET-64-0-0-0-1
Parent:     NET-64-0-0-0-0

NameServer: NAMESERVER1.CONCENTRIC.NET
NameServer: NAMESERVER2.CONCENTRIC.NET
NameServer: NAMESERVER3.CONCENTRIC.NET
NameServer: NAMESERVER.CONCENTRIC.NET

If I'm not mistaken, the Automagic Windows Update thing tries to check for updates every day. Concentric hosts some of the Microsoft updates, IIRC. Google shows that Concentric does host some Microsoft stuff, so I think memory is serving me today :). Try disabling the automagic update and see if that is the source of the traffic.

Good luck!

Steven

"exitus acta probat"
"fide, sed cui vide"

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----
From: Dan Harpold [mailto:danharp@SeaburyTech.com] Sent: Sunday, February 23, 2003 8:20 PM
To: incidents@seacurityfocus.com
Subject: Web server crashed, now is trying to contact an IP by port 80 every morning.

My web server crashed the other day. Got a blue screen and on reboot NTLDR was missing. I reinstalled and reformatted the drive. Simple W2K Server with IIS 5 and current service packs. It sits in a DMZ.

Now, each morning (only 2 days so far) at 12:00:45 AM, the machine is trying to contact an outside server via HTTP. The external request, which is being blocked by my firewall, is trying to go to 64.0.96.14. It logs about fifteen attempts over the next ten seconds, then doesn't appear until the next morning.

Any thoughts?

Dan

<Pre>Lose another weekend managing your IDS? Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

<Pre>Lose another weekend managing your IDS? Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> Received on Tue Feb 25 17:37:36 2003