6

I'm trying to trace thru an error on a extranet site I maintain. I've had a look thru the logs, and I'm seeing hits originate from these IP addresses:

  • 216.104.15.130
  • 216.104.15.138
  • 216.104.15.142
  • 216.104.15.13
  • 150.70.84.49
  • 150.70.84.44

Network-tools.com gives 'TREND MICRO INCORPORATED' as the owner of all these IPs.

The hits fail as they aren't sending any cookies (therefore aren't considered logged in). The hits are to pages containing URLs that only the logged in user would see, i.e. ImageEdit.aspx?ImageId=467424. I.e. the server isn't guessing these URLs, someone would have to log into the site to know these URLs exist.

Theory: the Trend Antivirus client grabs URLs and sends them to the server for 'extra processing'?

Googling around gives me this: http://www.forumpostersunion.com/showthread.php?p=51272 - where people are reporting comment spam from these addresses. The articles says their servers have been hacked (a few months ago, presumably fixed now?). A hacked server wouldn't explain how the URLs have been plucked off the user's PCs.

Has anyone seen this before? Anything nefarious going on here?

UPDATE: more info on this here: Micro trend is goofing my system

TesterTurnedDeveloper
  • 188
  • 6
  • 1
    I've been analyzing the same problem and this bot is 1 step away from being malware itself. It's completely ignoring our site's robots.txt rules, it presents itself as an MSIE 6.0 user agent, and it messes up our logs. Anyone whose site still uses GET requests to update databases or perform actions would have some very ugly situations on their hands if their users are using Trend Micro. – realworldcoder Mar 31 '11 at 16:45
  • Has anyone come up witha good solution to this problem? We are reluctant to just black all of the trend micro IPs because we could then be inadvertently blacklisted as a phishing/malware site. A possible solution could be to return blank HTTP 200 responses to all trend micro IPs, so that they would not be detected as errors by their system, but would not cause any further processing on our end. Thoughts? –  Dec 03 '10 at 20:26
  • I've just implemented a solution which always returns a HTTP 200 OK to all Trend Micro IPs. Is there any negative sideeffects of doing that? – espenhogbakk Sep 27 '11 at 19:46

1 Answers1

5

Trend Micro scans web pages for threats powered by what users are looking for. That, plus proactive checking scans a few billion pages a day. It's all good - once those pages are checked then they're whitelisted.

Note that users and corporates with their security settings cranked up to the maximum setting may block URLs that haven't already been screened.

Dave
  • 66
  • 1