I'm trying to trace thru an error on a extranet site I maintain. I've had a look thru the logs, and I'm seeing hits originate from these IP addresses:
- 216.104.15.130
- 216.104.15.138
- 216.104.15.142
- 216.104.15.13
- 150.70.84.49
- 150.70.84.44
Network-tools.com gives 'TREND MICRO INCORPORATED' as the owner of all these IPs.
The hits fail as they aren't sending any cookies (therefore aren't considered logged in). The hits are to pages containing URLs that only the logged in user would see, i.e. ImageEdit.aspx?ImageId=467424
. I.e. the server isn't guessing these URLs, someone would have to log into the site to know these URLs exist.
Theory: the Trend Antivirus client grabs URLs and sends them to the server for 'extra processing'?
Googling around gives me this: http://www.forumpostersunion.com/showthread.php?p=51272 - where people are reporting comment spam from these addresses. The articles says their servers have been hacked (a few months ago, presumably fixed now?). A hacked server wouldn't explain how the URLs have been plucked off the user's PCs.
Has anyone seen this before? Anything nefarious going on here?
UPDATE: more info on this here: Micro trend is goofing my system