rejetto forum
May 25, 2012, 09:13:51 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: This forum is free, you do NOT need to register to post. But you may.
PROBLEMS? QUESTIONS? CLICK HERE!
Fill the survey!
 
   Home   Help Search Login Register  
Pages: [1]
« previous next »
  Print  
Author Topic: wrong ip in log  (Read 1376 times)
0 Members and 2 Guests are viewing this topic.
Gr0b
Occasional poster
*
Offline Offline

Australia Australia

Posts: 2


View Profile
« on: November 04, 2010, 06:41:10 AM »

I Have an issue with the beta, I have upgraded to the beta from years of stables but have found that the beta does not correctly log the remote IP addresses. so in the logs I am seeing lots of this (below) and not real IPs (I have also upgraded from XPProSP3 to Win7x64)

6:11:53 PM 192.168.1.1:42012 Requested GET /
6:36:53 PM 192.168.1.1:42065 Requested GET /
7:01:53 PM 192.168.1.1:42132 Requested GET /
7:26:53 PM 192.168.1.1:42173 Requested GET /
7:51:53 PM 192.168.1.1:42216 Requested GET /
8:16:53 PM 192.168.1.1:42243 Requested GET /
8:41:53 PM 192.168.1.1:42310 Requested GET /
9:06:53 PM 192.168.1.1:42353 Requested GET /
9:31:53 PM 192.168.1.1:42397 Requested GET /
9:56:53 PM 192.168.1.1:42425 Requested GET /
Logged
rejetto
Administrator
Insane programmer
*
Offline Offline

Italy Italy

Posts: 11831


View Profile
« Reply #1 on: November 09, 2010, 11:31:36 AM »
are you using stunnel or any other proxy you know?
Logged
Gr0b
Occasional poster
*
Offline Offline

Australia Australia

Posts: 2


View Profile
« Reply #2 on: November 10, 2010, 05:46:15 AM »
I am not using any proxies or tunnels for this service. I do have a VPN in and do use SSH tunnels in but not to this server or port.
normally I don't have services on the default ports so this is the first time in a long time I have had a HTTP service on port 80.

I have added more log info below (I have changed my Host:ip) you can also see that I did get atleast 2 real IP at the bottom. I think it some kind of worm/bot scanning around the web looking for an exploitable server. I have noticed that most of the requests that have an internal IP have the same user-agent(NoScripts). I don have Noscripts installed inside my network as I mostly use Chrome. I have also had 1308 hits in 3 days, for the public server that has the service hosted on port 88 using an older version of HFS it only gets about 5-10 hits perday and it shows real IPs .


> GET / HTTP/1.1
> Host: 110.175.x.x
> User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
> Pragma: no-cache
> Cache-Control: no-cache
10/11/2010 8:27:01 PM 192.168.1.1:58815 Sent 1460 bytes
10/11/2010 8:27:01 PM 192.168.1.1:58815 Served 4.11 K
10/11/2010 8:52:01 PM 192.168.1.1:58856 Connected
10/11/2010 8:52:01 PM 192.168.1.1:58856 Got 143 bytes
10/11/2010 8:52:01 PM 192.168.1.1:58856 Requested GET /
10/11/2010 8:52:01 PM 192.168.1.1:58856 Request dump
> GET / HTTP/1.1
> Host: 110.175.x.x
> User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
> Pragma: no-cache
> Cache-Control: no-cache
10/11/2010 8:52:01 PM 192.168.1.1:58856 Sent 1460 bytes
10/11/2010 8:52:01 PM 192.168.1.1:58856 Served 4.11 K
10/11/2010 9:17:01 PM 192.168.1.1:58883 Connected
10/11/2010 9:17:01 PM 192.168.1.1:58883 Got 143 bytes
10/11/2010 9:17:01 PM 192.168.1.1:58883 Requested GET /
10/11/2010 9:17:01 PM 192.168.1.1:58883 Request dump
> GET / HTTP/1.1
> Host: 110.175.x.x
> User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
> Pragma: no-cache
> Cache-Control: no-cache
10/11/2010 9:17:01 PM 192.168.1.1:58883 Sent 1460 bytes
10/11/2010 9:17:01 PM 192.168.1.1:58883 Served 4.11 K
10/11/2010 9:18:00 PM 114.76.57.13:1748 Connected
10/11/2010 9:18:00 PM 114.76.57.13:1748 Got 59 bytes
10/11/2010 9:30:54 PM 122.179.24.86:2158 Connected
10/11/2010 9:30:54 PM 122.179.24.86:2158 Got 46 bytes
10/11/2010 9:31:03 PM 217.92.71.210:43372 Connected
10/11/2010 9:31:03 PM 217.92.71.210:43372 Got 50 bytes
10/11/2010 9:42:01 PM 192.168.1.1:59284 Connected
10/11/2010 9:42:01 PM 192.168.1.1:59284 Got 143 bytes
10/11/2010 9:42:01 PM 192.168.1.1:59284 Requested GET /
10/11/2010 9:42:01 PM 192.168.1.1:59284 Request dump
> GET / HTTP/1.1
> Host: 110.175.x.x
> User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
> Pragma: no-cache
> Cache-Control: no-cache
10/11/2010 9:42:01 PM 192.168.1.1:59284 Sent 1460 bytes
10/11/2010 9:42:01 PM 192.168.1.1:59284 Served 4.11 K
10/11/2010 9:46:28 PM 217.208.158.15:49276 Connected
10/11/2010 9:46:28 PM 217.208.158.15:49276 Got 36 bytes
10/11/2010 10:01:55 PM 174.97.155.35:56228 Connected
10/11/2010 10:01:55 PM 174.97.155.35:56228 Got 33 bytes
10/11/2010 10:07:01 PM 192.168.1.1:59445 Connected
10/11/2010 10:07:01 PM 192.168.1.1:59445 Got 143 bytes
10/11/2010 10:07:01 PM 192.168.1.1:59445 Requested GET /
10/11/2010 10:07:01 PM 192.168.1.1:59445 Request dump
Logged
rejetto
Administrator
Insane programmer
*
Offline Offline

Italy Italy

Posts: 11831


View Profile
« Reply #3 on: November 29, 2010, 09:42:24 AM »
sorry for the late reply.
from what i can see, those connections are truly coming from 192.168.1.1
i guess you should investigate on this ABE thing.
at the moment i see no reason to think the problem is related to HFS 2.3 but you can try to rever to 2.2 to see if the problem stops.
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!


Google visited last this page May 10, 2012, 05:46:23 PM