Author Topic: wrong ip in log  (Read 3129 times)

0 Members and 1 Guest are viewing this topic.

Offline Gr0b

  • Occasional poster
  • *
  • Posts: 2
    • View Profile
wrong ip in log
« on: November 04, 2010, 11:41:10 AM »

I Have an issue with the beta, I have upgraded to the beta from years of stables but have found that the beta does not correctly log the remote IP addresses. so in the logs I am seeing lots of this (below) and not real IPs (I have also upgraded from XPProSP3 to Win7x64)

6:11:53 PM 192.168.1.1:42012 Requested GET /
6:36:53 PM 192.168.1.1:42065 Requested GET /
7:01:53 PM 192.168.1.1:42132 Requested GET /
7:26:53 PM 192.168.1.1:42173 Requested GET /
7:51:53 PM 192.168.1.1:42216 Requested GET /
8:16:53 PM 192.168.1.1:42243 Requested GET /
8:41:53 PM 192.168.1.1:42310 Requested GET /
9:06:53 PM 192.168.1.1:42353 Requested GET /
9:31:53 PM 192.168.1.1:42397 Requested GET /
9:56:53 PM 192.168.1.1:42425 Requested GET /

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12949
    • View Profile
Re: wrong ip in log
« Reply #1 on: November 09, 2010, 05:31:36 PM »
are you using stunnel or any other proxy you know?

Offline Gr0b

  • Occasional poster
  • *
  • Posts: 2
    • View Profile
Re: wrong ip in log
« Reply #2 on: November 10, 2010, 11:46:15 AM »
I am not using any proxies or tunnels for this service. I do have a VPN in and do use SSH tunnels in but not to this server or port.
normally I don't have services on the default ports so this is the first time in a long time I have had a HTTP service on port 80.

I have added more log info below (I have changed my Host:ip) you can also see that I did get atleast 2 real IP at the bottom. I think it some kind of worm/bot scanning around the web looking for an exploitable server. I have noticed that most of the requests that have an internal IP have the same user-agent(NoScripts). I don have Noscripts installed inside my network as I mostly use Chrome. I have also had 1308 hits in 3 days, for the public server that has the service hosted on port 88 using an older version of HFS it only gets about 5-10 hits perday and it shows real IPs .


> GET / HTTP/1.1
> Host: 110.175.x.x
> User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
> Pragma: no-cache
> Cache-Control: no-cache
10/11/2010 8:27:01 PM 192.168.1.1:58815 Sent 1460 bytes
10/11/2010 8:27:01 PM 192.168.1.1:58815 Served 4.11 K
10/11/2010 8:52:01 PM 192.168.1.1:58856 Connected
10/11/2010 8:52:01 PM 192.168.1.1:58856 Got 143 bytes
10/11/2010 8:52:01 PM 192.168.1.1:58856 Requested GET /
10/11/2010 8:52:01 PM 192.168.1.1:58856 Request dump
> GET / HTTP/1.1
> Host: 110.175.x.x
> User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
> Pragma: no-cache
> Cache-Control: no-cache
10/11/2010 8:52:01 PM 192.168.1.1:58856 Sent 1460 bytes
10/11/2010 8:52:01 PM 192.168.1.1:58856 Served 4.11 K
10/11/2010 9:17:01 PM 192.168.1.1:58883 Connected
10/11/2010 9:17:01 PM 192.168.1.1:58883 Got 143 bytes
10/11/2010 9:17:01 PM 192.168.1.1:58883 Requested GET /
10/11/2010 9:17:01 PM 192.168.1.1:58883 Request dump
> GET / HTTP/1.1
> Host: 110.175.x.x
> User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
> Pragma: no-cache
> Cache-Control: no-cache
10/11/2010 9:17:01 PM 192.168.1.1:58883 Sent 1460 bytes
10/11/2010 9:17:01 PM 192.168.1.1:58883 Served 4.11 K
10/11/2010 9:18:00 PM 114.76.57.13:1748 Connected
10/11/2010 9:18:00 PM 114.76.57.13:1748 Got 59 bytes
10/11/2010 9:30:54 PM 122.179.24.86:2158 Connected
10/11/2010 9:30:54 PM 122.179.24.86:2158 Got 46 bytes
10/11/2010 9:31:03 PM 217.92.71.210:43372 Connected
10/11/2010 9:31:03 PM 217.92.71.210:43372 Got 50 bytes
10/11/2010 9:42:01 PM 192.168.1.1:59284 Connected
10/11/2010 9:42:01 PM 192.168.1.1:59284 Got 143 bytes
10/11/2010 9:42:01 PM 192.168.1.1:59284 Requested GET /
10/11/2010 9:42:01 PM 192.168.1.1:59284 Request dump
> GET / HTTP/1.1
> Host: 110.175.x.x
> User-Agent: Mozilla/5.0 (ABE, http://noscript.net/abe/wan)
> Pragma: no-cache
> Cache-Control: no-cache
10/11/2010 9:42:01 PM 192.168.1.1:59284 Sent 1460 bytes
10/11/2010 9:42:01 PM 192.168.1.1:59284 Served 4.11 K
10/11/2010 9:46:28 PM 217.208.158.15:49276 Connected
10/11/2010 9:46:28 PM 217.208.158.15:49276 Got 36 bytes
10/11/2010 10:01:55 PM 174.97.155.35:56228 Connected
10/11/2010 10:01:55 PM 174.97.155.35:56228 Got 33 bytes
10/11/2010 10:07:01 PM 192.168.1.1:59445 Connected
10/11/2010 10:07:01 PM 192.168.1.1:59445 Got 143 bytes
10/11/2010 10:07:01 PM 192.168.1.1:59445 Requested GET /
10/11/2010 10:07:01 PM 192.168.1.1:59445 Request dump

Offline rejetto

  • Administrator
  • Tireless poster
  • *
  • Posts: 12949
    • View Profile
Re: wrong ip in log
« Reply #3 on: November 29, 2010, 03:42:24 PM »
sorry for the late reply.
from what i can see, those connections are truly coming from 192.168.1.1
i guess you should investigate on this ABE thing.
at the moment i see no reason to think the problem is related to HFS 2.3 but you can try to rever to 2.2 to see if the problem stops.