Security Incidents mailing list archives
RE: Weird Incoming IP's and port numbers.
From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Mon, 27 Aug 2001 16:47:43 -0500
This looks to me like a badly configured HTTP server farm. You're probably hitting a web site that passes the request back to a set of servers using RFC1918 addresses. These servers should in theory either proxy their results back through the same path, or be NAT'd back to the source IP that you were attempting to connect to. I've seen this pretty frequently with a few web hosting companies. Fortunately the connection attempt keeps retransmitting and I eventually get through to a server that responds from the correct source IP. Every time I've noticed this I've e-mailed the provider and have never gotten a response. I don't recall the name of the site, but it was reasonably high-profile. I wonder if it's the same provider you're hitting. Does this sound consistent? David -----Original Message----- From: West P. [mailto:god-admin () home com] Sent: Sunday, August 26, 2001 21:21 To: incidents () securityfocus com Subject: Weird Incoming IP's and port numbers. DATE TIME SCR SCR_PORT DEST DEST_PORT 08/25/2001 13:24:52 192.168.1.8 80 <my ip address> 3976 08/25/2001 19:04:42 192.168.1.16 80 <my ip address> 4319 08/25/2001 23:25:38 192.168.1.9 80 <my ip address> 4450 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Weird Incoming IP's and port numbers. West P. (Aug 27)
- Re: Weird Incoming IP's and port numbers. Hugo van der Kooij (Aug 29)
- Re: Weird Incoming IP's and port numbers. West P. (Aug 29)
- <Possible follow-ups>
- RE: Weird Incoming IP's and port numbers. NESTING, DAVID M (SBCSI) (Aug 29)
- RE: Weird Incoming IP's and port numbers. Vachon, Scott (Aug 29)
- RE: Weird Incoming IP's and port numbers. NESTING, DAVID M (SBCSI) (Aug 30)