Alright, after battling back and forth over this with our host, I have gotten some information... however, I am not sure how accurate it is. Can someone help me verify this stuff?
[]
Hello,
It is much more likely to be a bug in your application where a http connection
is being initiated to itself. This is the only possible cause for an internal
server farm IP to appear in the CGI Environment.
Let me know if I can help you further.
Regards,
Paul Trebilco.
[/]
My response with his comments interspersed:
[]
Hello,
"Christopher Burns" <
[email protected]> wrote:
--Start Snip--
> Hi Paul,
>
> Not sure I follow. If I go through Anonymizer.com or use any of the
> existing softwares out there to hide my IP, it seems the spoofing my IP to
> 10.x.x.x would be the way to go, wouldn't it?
Except that 10.x.x.x is a non routing IP, the replies would never ever ever get
back out past our router. 10.1.1.6 is the internal access address of our server
farm. If you see that address in the logs then it means your application has
connected to itself. ie and fopen command was initiated to the resident website.
There are any number of reasons why this may occur. Most likely if your app uses
templates then it may fopen to itself. It's not ideal but I do see some forum
software using the method.
>
> When you say it is more likely a bug in the app where an http connection is
> being initiated to itself, can you give me an example of that situation? I
> cannot think of anywhere on our site (as I understand what you are saying)
> that this could be the case... but, alas, I am admittedly ignorant here.
>
Did you not submit a support request not so long ago RE a PHP fopen function?
Perfect example right there.
> The offending IP seems to isolate to one specific area of our site, the
> Library. Is there any sort of server logs you guys keep that would show
> someone with the IP 10.1.1.6 accessing our site and what they are doing?
Give me specific dates. But like we keep telling you, that ip is a legitimate
ip of our webfarm. Quite a few customer forums see that ip in request logs.
It does not reverse resolve to any host name because it is a private address.
Our private address.
>
> Thanks,
>
> Chris
[/]
My response:
[]
Hi Paul,
Ok... so you are saying that is someone attaches to our site with the IP 10.1.1.6 they won't be able to view anything?? This person is obviously navigating to a specific place on our site. Now, granted I have not caught him at any time other than being in the Library, so I do not know if there actually was a trail that he followed. IF he just appeared in there, then I can definitely see what you are saying.
The fopen issue was being use to test valid URLs for our links gallery, and they would not be accessing our own site.
The latest hit we got was on 4/21/03 at 8:48pm (Pacific Standard Time). Also on 04/18/03 10:55pm (Central Standard Time). Then again at 04/18/03 08:58pm (S. Australia Time). Our first notice was on 03/31/03 07:25pm (Pacific Standard Time).
Hope those help! It sounds like we may be over-reacting to some coincidental stimulus, and your inherent operations... is that true?
Cheers,
Chris
[/]
His response:
[]
Hello,
Here is a log entry for 1 particular occurance I found in the server logs.
10.1.1.6 sr - [22/Apr/2003:22:58:18 +1000]
www.syngnathid.org 80 "GET
/ubbthreads/articlesLibrary.php HTTP/1.0" 200 6812 "-" "PHP/4.2.3" "-" syngnathids
The Ip address and the User agent (PHP/4.2.3) definitely point to a php fopen
command originating on the webfarm.
A quick serach of your home directory reveals this;
index.php: include
"http://www.syngnathid.org/ubbthreads/articlesLibrary.php";
index.php: include
"http://www.syngnathid.org/ubbthreads/articlesLibrary.php";
templates/default/ubbt_registerednav.tmpl:<a href =
"$phpurl/articlesLibrary.php" $target>{$ubbt_lang['LIBRARY']}</a>
I'm pretty sure the include statements in your index.php page are invoking the
php fopen subclasses.
Let me know if I can help you further.
Regards,
Paul Trebilco.
[/]
My response:
[]
Hi Paul,
So would that not say that if I were to go login as myself, and the view articles in the library, we should see the 10.1.1.6 IP address popup in our Who's Online and your logs?
It seems that for the most part this IP is in there with other more natural IPs, but I do seem to recall seeing it in the Library all alone on more than one occasion...
Let me know, and maybe we can try to test this.
Cheers,
Chris
[/]
Their latest comment (this one sounds fishy to me):
[]
As Paul mentioned, the presence of that IP can only be originating from an internal call within your script because 10.X IP ranges are only routable to our internal network and not to the outside. You do not need to worry about it.
Regards,
Martial Herbaut.
[/]
I know you can go through an anonymizing portal that will wipe your real IP and give you a bogus one, along the lines of 10.x.x.x So for them to say that the user with that IP is being generated by internal systems doesn't sound kosher to me.
On top of that, if I go in to the Library and poke around, I can watch the Online table and see that no user with IP 10.1.1.6 EVER shows up...
So, I guess I am looking for the truth of the matter here... can anyone edify me? Please?!?!!?
