Why does someone else's IP show my site? - Website Analytics - Tracking and Logging forum at WebmasterWorld - WebmasterWorld

Forum Moderators: DixonJones

Message Too Old, No Replies

Why does someone else's IP show my site?

found it in the error page hits on my IIS log

nonprof webguy

11:03 pm on Jan 3, 2003 (gmt 0)

10+ Year Member

Yesterday I noticed that in my IIS logs last month, I got one of those annoying attacks looking for unpatched vulnerabilities in my Microsoft web server; they show up in the query strings of hits on my error page. What was strange was that instead of starting with "404;http://www.mysite.com/..." the query strings (which represent the page that was requested when the error page was served instead) began instead with IP addresses that don't belong to me and are not my site.

QUESTION #1: How does a request get sent to my server when it has a path that starts out with a domain or IP address that is not that of my web site? I.e. "404;http://www.notmysite.com/..."?

Now, some of the domain names that appear in these errors are domains of sites that might be linking to us, so perhaps there is some kind of frame-and-link problem. But the ones with numeric IP addresses I have no idea about. So, curious, I checked them out. They belong mostly to ISPs; some result in a "connection refused"...

But the really weird thing was when I surfed to one of the IPs, 64.096.45.213, (snip if you must) I saw MY web site, even though that's not the site's address. (It is off by one number).

QUESTION #2: How exactly does that IP redirect to my site, and why would these errors from that address show up in my logs? My ISP said it could be an incorrect "PTR record" -- the reverse of an "A record" -- but I'm not much of an expert on those sorts of things.

I'd appreciate any help or advice. I think it might be similar to the problem discussed here. [webmasterworld.com]

iamjoe

4:26 pm on Jan 5, 2003 (gmt 0)

10+ Year Member

You probably have multiple IPs binded to that server. The website you see coming up for the IP is actually the webservers default website. So if you had 50 ips binded to the machine all of the would show that site unless you said otherwise.

bcc1234

4:43 pm on Jan 5, 2003 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

get a telnet client and do the following:
- open it for yourip 80
- i once connected type:
GET /dfsdfs HTTP/1.1
HOST: anotherip
<cr><cr>

- check your logs

nonprof webguy

8:05 pm on Jan 7, 2003 (gmt 0)

10+ Year Member

Well, it turns out to be a bit of an IP mystery. Note the leading zero in the second number of the IP address. "096" gets 'translated' to 78 by web browsers, but apparently not by FTP or telnet clients. The latter simply chop off any leading zeros, which leads me to believe that the problem is inherent in the way IP numbers are parsed, and that these clients are taking that into account, but web browsers are not.

I suspect the reason 64.096.45.213 is interpreted by a web browser as 64.78.45.213 has something to do with the fact that each of the four numbers in an IP address are 8-bit bytes. But I don't know enough about the math to understand why "096" is treated as though it were "78." The bits for 78 would be "01001110" and I guess that "096" gets turned into the same binary number rather than "01100000" which is the binary form of "96." Any math whizzes out there who can help?

Key_Master

8:17 pm on Jan 7, 2003 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

When I visit 64.096.45.213 (via IE6) I get a Web Mail login page. I don't get 64.78.45.213

nonprof webguy

8:43 pm on Jan 7, 2003 (gmt 0)

10+ Year Member

Thanks for checking, Key_Master -- you're seeing the same thing as 64.96.45.213; my copy of IE6, however, shows the same thing as 64.78.45.213. In fact, it shows that no matter which browser (NN4 thru 7, Opera, Lynx 2.8.3) I try.

I figured out that the "096" is being interpreted as a decimal number, which creates the same 8-bit string as "78." i.e. if you convert the three decimal numbers, 0, 9, and 6 to binary, then concatenate the resulting 8 bits:

78 = 01001110
0 = 0
9 = 1001
6 = 110

This is probably a pretty rare phenomenon, since not all numbers can be "faked" in this way. But it makes me wonder, why would an auto-hacking program be doing this?

Key_Master

9:37 pm on Jan 7, 2003 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

When I visit 64.096.45.213 the server seems to be reconizing the entire address (as reflected in the code snippet below). I even tried 064.096.045.213 and it still worked. Odd that you can't see it on your end.

<tr><td>Email name:</td><td><input type="text" name="userlogin" size="25" value="" tabindex="1" onKeyPress="checkEnterIE(event)"> @64.096.45.213 </td></tr>

Maybe the following info will be some help.

64.96.45.213 = hepple4homes.com.criticalpath.net
64.68.32.201 = hepple4homes.com