RE: Weird Incoming IP's and port numbers.

["NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>]

This looks to me like a badly configured HTTP server farm.  You're probably
hitting a web site that passes the request back to a set of servers using
RFC1918 addresses.  These servers should in theory either proxy their
results back through the same path, or be NAT'd back to the source IP that
you were attempting to connect to.

I've seen this pretty frequently with a few web hosting companies.
Fortunately the connection attempt keeps retransmitting and I eventually get
through to a server that responds from the correct source IP.  Every time
I've noticed this I've e-mailed the provider and have never gotten a
response.  I don't recall the name of the site, but it was reasonably
high-profile.  I wonder if it's the same provider you're hitting.

Does this sound consistent?

David

-----Original Message-----
From: West P. [mailto:god-admin () home com]
Sent: Sunday, August 26, 2001 21:21
To: incidents () securityfocus com
Subject: Weird Incoming IP's and port numbers.

DATE           TIME        SCR       SCR_PORT      DEST         DEST_PORT
08/25/2001 13:24:52  192.168.1.8      80          <my ip address>      3976
08/25/2001 19:04:42  192.168.1.16    80         <my ip address>       4319
08/25/2001 23:25:38  192.168.1.9      80          <my ip address>      4450


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com