[techtalk] Traceroutes in logs
Kath
ranger at optonline.net
Sat Apr 28 22:32:07 EST 2001
Everyday, sometimes several times a day, I get a traceroute to my Lotus Notes/Domino NT4 server (ick ick ick. I didn't set it up).
I've included a few log examples.
Paranoid Me Says:
Is someone using tracert to check for a hosts existence as a precursor to an attack?
Curious Me Says:
Is this some kind of internet host check thing to determine uptime/etc?
Apr 28 20:21:57 hwnet snort: Windows Traceroute: 216.200.119.243 -> 207.127.75.xx
Apr 28 07:26:36 hwnet snort: Windows Traceroute: 130.217.248.88 -> 207.127.75.xx
Apr 28 04:45:46 hwnet snort: Windows Traceroute: 216.200.119.243 -> 207.127.75.xx
Apr 27 21:55:22 hwnet snort: Windows Traceroute: 128.223.220.56 -> 207.127.75.xx
Apr 27 04:44:24 hwnet snort: Windows Traceroute: 128.223.220.56 -> 207.127.75.xx
Apr 26 21:34:02 hwnet snort: Windows Traceroute: 216.200.119.243 -> 207.127.75.xx
Apr 26 02:53:36 hwnet snort: Windows Traceroute: 130.217.248.88 -> 207.127.75.xx
Further investigation:
Now an arin.net whois says that 216.200.119.243 is registered to Abovenet, which is based in Cali. My l33t tracert skills spits out that the machine location looks like somewhere in/near Seattle? 216.200.119.243 resolves to caida.org (specifically lhr.skitter.caida.org) and the caida.org webpage says something about "Tools and analyses promoting the engineering and maintenance of a robust, scalable global Internet infrastructure". Hmm. Looks normal there. Just some weirdos collecting internet info =)
Next is: 130.217.248.88. arin.net says 130.217.248.88 belongs to University of Waikato. A DNS on the IP 130.217.248.88 reveals another caida.org address waikato.skitter.caida.org
Final one is: 128.223.220.56. Resolves to uoregon.skitter.caida.org.
I guess the moral is, don't get bent out of shape over simple tracerts. Get even instead! Freaking government robots after me! Black helicopters! Conspiracy! Roswell! Oswald was a patsy! ;)
- Kath the slightly paranoid (Only slightly!)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxchix.org/pipermail/techtalk/attachments/20010428/806fe6f3/attachment.xhtml
More information about the Techtalk
mailing list