Strange HTTP GET requests from IP 150.70.x.x and IP 62.24.x.x

Recently I started to notice that one of our sites gets strange HTTP GET requests from two IP ranges: 150.70.x.x and IP 62.24.x.x.

The short version of this goes as follows: we have web service when users can submit results via HTTP GET request. For example:{BEDC2C9A-C5E6-4766-B57C-7CC07BB26F59}&result=x

Each (next) user/request gets a new GUID, like:{412E9B56-E9CE-4FB5-9804-676FDC9EA3EC}&result=a{64A00D1D-BCDB-4B5A-9DF3-51CF2BB6B663}&result=b{CA5B86A1-A6B4-4CA8-AAA6-DC9302CF34D3}&result=c

Because GUIDs are unique, we should get each GUID only once. But this was not true for our web-service. We occasionally got duplicate requests. We started to investigate closer, and found that all double requests come from two IP ranges 150.70.x.x and IP 62.24.x.x, and all “second” requests follows the first after 30s – 5 min.

We did a Google search and found, that 150.70 IP range belongs to Trend Micro. There are even some statement from them:

Dear Site Owner,

To protect our customers from visiting a malicious or harmful site, web pages of the applicable URLs are downloaded and scanned by our servers. Thus, you may have noticed a few visits from our IPs. Please be assured that this poses no security risk to your web sites as our servers do not perform any action other than scanning the sites.
We then store the rating of the web site in our server cache so that our servers will no longer access those pages for analysis when a customer chooses to visit those web sites again. We have already asked our server owner to add the rating for the following domain(s);
The setting will take effect soon, please verify it again on your site.
Sorry for any inconvenience and please inform us of any other concerns you may have.
Best Regards,
Trend Micro’


It seems, that Trend Micro is spying after their customers. Second range comes from Talk Talk UK’s ISP, who apparently spies after their customers too.

Here are some links with more reading:
Search Engine Spider and User Agent Identification Forum from
IP Address Inspector –
Im Being Monitored/Watched?

P.S. Most probably they do not try to do HTTP POST request, I do not know. We probably should use POST too, but that’s another story.
P.S.S. Some encryption like SSL should be mandatory for all Internet traffic in future.

4 replies on “Strange HTTP GET requests from IP 150.70.x.x and IP 62.24.x.x”

  1. Yeah, The cisco router I am connected to appears to have this software installed.

    The strange thing is, that it doesnt only request the same urls…

    it appears to be running intrusion scripts on common urls… (my example is phpmyadmin)

    here is my example;
    On a new/fresh/5min old Amazon Instance, after I accessed phpmyadmin.

    The 150.70.x.x range requests my requested URLS (on a linux client) comes back regularly to try the URL again…
    the scan below is run from

    I have the server blocking access to all IPs, so the requests end in 403. The intrusion script appears to try various combos.

    Anyone else seeing this behavoir?

    Apache Error Log - - [11/Feb/2012:19:53:58 +0000] "GET /phpmyadmin/js/functions.js?ts=1324498093 HTTP/1.0" 403 317 - - [11/Feb/2012:19:54:00 +0000] "GET /phpmyadmin/js/pMap.js?ts=1324498093 HTTP/1.0" 403 312 - - [11/Feb/2012:19:54:01 +0000] "GET /phpmyadmin/js/sql.js?ts=1324498093 HTTP/1.0" 403 311 - - [11/Feb/2012:20:02:43 +0000] "GET / HTTP/1.1" 403 3839 - - [11/Feb/2012:20:03:56 +0000] "GET //phpmyadmin/ HTTP/1.1" 403 290 - - [11/Feb/2012:20:03:56 +0000] "GET //_phpMyAdmin/ HTTP/1.1" 403 291 - - [11/Feb/2012:20:03:57 +0000] "GET //pHpMyAdMiN/ HTTP/1.1" 403 290 - - [11/Feb/2012:20:03:57 +0000] "GET //webdb/ HTTP/1.1" 403 285 - - [11/Feb/2012:20:03:57 +0000] "GET //wp-phpmyadmin/ HTTP/1.1" 403 293 - - [11/Feb/2012:20:03:57 +0000] "GET //admn/ HTTP/1.1" 403 284 - - [11/Feb/2012:20:04:01 +0000] "GET //MyAdmin/ HTTP/1.1" 403 287 - - [11/Feb/2012:20:04:01 +0000] "GET //phpmanager/ HTTP/1.1" 403 290 - - [11/Feb/2012:20:04:01 +0000] "GET //backup/phpmyadmin/ HTTP/1.1" 403 297 - - [11/Feb/2012:20:04:02 +0000] "GET //backup/phpMyAdmin/ HTTP/1.1" 403 297 - - [11/Feb/2012:20:04:11 +0000] "GET //admin/ HTTP/1.1" 403 285 - - [11/Feb/2012:20:04:11 +0000] "GET //dbadmin/ HTTP/1.1" 403 287 - - [11/Feb/2012:20:04:12 +0000] "GET //sql/ HTTP/1.1" 403 283 - - [11/Feb/2012:20:04:12 +0000] "GET //mysql/ HTTP/1.1" 403 285 - - [11/Feb/2012:20:04:12 +0000] "GET //myadmin/ HTTP/1.1" 403 287 - - [11/Feb/2012:20:04:12 +0000] "GET //phpmyadmin2/ HTTP/1.1" 403 291 - - [11/Feb/2012:20:04:13 +0000] "GET //phpMyAdmin2/ HTTP/1.1" 403 291 - - [11/Feb/2012:20:04:13 +0000] "GET //phpMyAdmin-2/ HTTP/1.1" 403 292 - - [11/Feb/2012:20:04:16 +0000] "GET //sqlmanager/ HTTP/1.1" 403 290 - - [11/Feb/2012:20:04:23 +0000] "GET //PMA2005/ HTTP/1.1" 403 287 - - [11/Feb/2012:20:04:32 +0000] "GET //phpmy-admin/ HTTP/1.1" 403 291 - - [11/Feb/2012:20:04:35 +0000] "GET //sqlweb/ HTTP/1.1" 403 286

Comments are closed.