So, the company I work at uses Trend Micro software to monitor the computers for viruses right? Well they must use it to monitor/proxy the internet use as well because I found some strange things going on in the server logs on one of my servers.
I login to various password protected parts of one of my webservers using the work internet. Then some what I assume to be script kiddies started trying to find where I kept various admin tools by going to obvious and not so obvious addresses this webserver. So I got all paranoid and started going through the logs. It didn’t appear as though the script kiddies were getting in or had even found the correct address to the password protected parts of the server.
However I did find some IPs that did and I didn’t recognize them. They USA and Japan assigned IP addresses too. The script kiddies had been using proxies from the USA, France and Japan. However when I did an IP lookup these addresses came back as registered to Trend Micro.
All of the requests to my server gave those IPs 401 Unauthorized errors. So I did a test by navigating to a non existant page on my site with an address that I would notice in the server logs from the work internet. I found an IP from each IP range went to that page as well.
After some googling of the IP addresses I found other people had seen these IP ranges accessing pages that the public couldn’t and shouldn’t know about.
The IP ranges concerned where:
- 216.104.15.0/24
- 150.70.0.0/16
Most of these addresses don’t resolve to a hostname however I did find one that did: 150.70.66.183 resolved to sjdc-wtp-gs-maya6.sdi.trendnet.org but is registered to the Asia Pacific Network Information Centre. It also says that 150.0.0.0/8 is registered to APNIC too, however I’m not sure if it says that even though they have assigned/sold that address to Trend Micro.
As for why this happens I am not sure. Maybe it is a bot to find what customers employees are looking at, keyword grabber or something. I am pretty sure it wouldn’t my employer tracking my net usage as they surely would record that as my HTTP request went out the proxy in my building. However I haven’t checked if the work proxy is actually in the building…..