I'm trying to trace thru an error on a extranet site I maintain. I've had a look thru the logs, and I'm seeing hits originate from these IP addresses:
- 216.104.15.130
- 216.104.15.138
- 216.104.15.142
- 216.104.15.13
- 150.70.84.49
- 150.70.84.44
Network-tools.com gives 'TREND MICRO INCORPORATED' as the owner of all these IPs.
The hits fail as they aren't sending any cookies (therefore aren't considered logged in). The hits are to pages containing URLs that only the logged in user would see, i.e. ImageEdit.aspx?ImageId=467424. I.e. the server isn't guessing these URLs, someone would have to log into the site to know these URLs exist.
Theory: the Trend Antivirus client grabs URLs and sends them to the server for 'extra processing'?
Googling around gives me this: http://www.forumpostersunion.com/showthread.php?p=51272 - where people are reporting comment spam from these addresses. The articles says their servers have been hacked (a few months ago, presumably fixed now?). A hacked server wouldn't explain how the URLs have been plucked off the user's PCs.
Has anyone seen this before? Anything nefarious going on here?
UPDATE: more info on this here: Micro trend is goofing my system
Trend Micro scans web pages for threats powered by what users are looking for. That, plus proactive checking scans a few billion pages a day. It's all good - once those pages are checked then they're whitelisted.
Note that users and corporates with their security settings cranked up to the maximum setting may block URLs that haven't already been screened.