|
Everyday, sometimes several times a day, I get a
traceroute to my Lotus Notes/Domino NT4 server (ick ick ick. I didn't set
it up).
I've included a few log examples.
Paranoid Me Says:
Is someone using tracert to check for a hosts
existence as a precursor to an attack?
Curious Me Says:
Is this some kind of internet host check thing to determine uptime/etc? Apr 28 20:21:57 hwnet snort: Windows Traceroute: 216.200.119.243 ->
207.127.75.xx
Apr 28 07:26:36 hwnet snort: Windows Traceroute: 130.217.248.88 ->
207.127.75.xx
Apr 28 04:45:46 hwnet snort: Windows Traceroute: 216.200.119.243 ->
207.127.75.xx
Apr 27 21:55:22 hwnet snort: Windows Traceroute: 128.223.220.56 ->
207.127.75.xx
Apr 27 04:44:24 hwnet snort: Windows Traceroute: 128.223.220.56 ->
207.127.75.xx
Apr 26 21:34:02 hwnet snort: Windows Traceroute: 216.200.119.243 ->
207.127.75.xx
Apr 26 02:53:36 hwnet snort: Windows Traceroute: 130.217.248.88 ->
207.127.75.xx
Further investigation:
Now an arin.net whois says that 216.200.119.243 is registered to Abovenet, which
is based in Cali. My l33t tracert skills spits out that the machine
location looks like somewhere in/near Seattle? 216.200.119.243 resolves to
caida.org (specifically lhr.skitter.caida.org) and the caida.org webpage says
something about "Tools and analyses promoting the engineering and maintenance of
a robust, scalable global Internet infrastructure". Hmm. Looks
normal there. Just some weirdos collecting internet info
=)
Next is: 130.217.248.88. arin.net says 130.217.248.88 belongs to
University of Waikato. A DNS on the IP 130.217.248.88 reveals another
caida.org address waikato.skitter.caida.org
Final one is: 128.223.220.56. Resolves to uoregon.skitter.caida.org.
I guess the moral is, don't get bent out of shape over simple
tracerts. Get even instead! Freaking government robots after
me! Black helicopters! Conspiracy! Roswell! Oswald was a
patsy! ;)
- Kath the slightly paranoid (Only
slightly!)
|
