Welcome to WebmasterWorld Guest from 100.24.122.228

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

using my IP!

     
10:00 pm on Nov 25, 2016 (gmt 0)

Junior Member

5+ Year Member Top Contributors Of The Month

joined:Sept 13, 2013
posts: 193
votes: 1


I've run websites for several years on Apache, and I review the logs to see what's going on. One thing that has started to happen (maybe a dozen times a week) is that I see accesses to my websites in my logs, coming from my IP, but they were accesses that I didn't make (nor anyone on my network using my IP). Someone is hitting my site with my IP number! I think I've heard of this. There is a name for it. Spoofing? But my questions are (1) how does someone do this? (2) is there a purpose in doing it, besides just telling the site manager that they know how to do it? There is no real mischief going on yet. It's just weird. Do I have any recourse with regard to it? Are there common strategies for dealing with it? Is it possible to get more detail about who is doing it? Or do I just hold my nose and ignore it?
10:12 pm on Nov 25, 2016 (gmt 0)

Junior Member from GB 

10+ Year Member Top Contributors Of The Month

joined:Oct 16, 2002
posts:182
votes: 3


Hi Dan,

First of all I would make sure there isn't something you're missing, before being too sure that it's spoofing. That seems very unlikely under these particular circumstances. Much more likely is some automated process that has been overlooked, or similar. What kind of sessions are you seeing from these visits? Are pages and all supporting resources being downloaded (images etc) or just pages being visited without the resources they include? Is it a single page access, the same page each time? Or are a number of pages being visited each time? I suggest extracting all the entries from the logs and seeing if they give a clearer picture of what is going on.
10:23 pm on Nov 25, 2016 (gmt 0)

Junior Member

5+ Year Member Top Contributors Of The Month

joined:Sept 13, 2013
posts: 193
votes: 1


It's just looking at a few of my pages that I advertise to my community as entry points to my website, and a few random pages from deeper in. Would look like perfectly normal accesses from my community, if it weren't coming from, er, me. I certainly have no such automated process that it driving this. I guess what is slightly perturbing about this is that if this spoofer wanted to do mischief, there is no way I could deny access without denying myself as well.
6:47 pm on Nov 26, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15874
votes: 870


Lots of things can be spoofed/forged--UA and referer are obviously the most popular--but an IP isn't one of them. Think of it as the Final Frontier, the one thing you can rely on. So this requires more investigation. For example: If you put in a line
Deny from 11.22.33.44 (that is, your exact IP)
and leave it a few days, what happens? Are your own visits now blocked, and what happens to the illicit visits in logs? Do they disappear altogether, or merely change from 200 to 403?

Reiterating Sheffield's question: Do the log entries reflect apparent human visits, with the usual supporting files, analytics (if any), human headers (if you log them) and so on? Come to think of it, what UA is associated with the suspect requests? Do they come in at particular times of day?

Who is responsible for logging? That is, who has access to the config file-- you, a shared host, or something else again?
8:44 pm on Nov 26, 2016 (gmt 0)

Junior Member

5+ Year Member Top Contributors Of The Month

joined:Sept 13, 2013
posts: 193
votes: 1


Thank you. I'm continuing some detective work. One important thing is that the user agent on these mysterious requests is different than that on my home machine that I use for most of my browsing, on my home IP that is the one being spoofed/forged. So that machine appears secure. One puzzle is that the mysterious request user agent is identical to that on two other home machines that I have, that I rarely use, and no one else does. I have changed the user agent on those other machines slightly, so they are more recognizable. I will see when the next forge/spoof comes in if it is actually coming from them on my own network (at least on the only browser I ever use on those machines). If so, that would suggest that some malware has taken over one of them. I'll try that before denying my own IP. These requests happen only once or twice a day, so I have no idea when the next one will come in.

There are several flavors of requests. One includes a Twitter referer URL that points to one of my pages. Um, I don't even have a Twitter account. I didn't even know about that Twitter URL until I saw it here.

I have access to EVERYTHING. Logs, .htaccess, config files on the remote server. No one else even has an account on that machine. That machine is pretty much a dedicated server, on an entirely different IP, at the office. The IP that is being spoofed/forged is my home IP, where I do most of my server supervision.
8:50 pm on Nov 26, 2016 (gmt 0)

Junior Member

5+ Year Member Top Contributors Of The Month

joined:Sept 13, 2013
posts: 193
votes: 1


I should add ... I did quickly try the test that Lucy24 suggested. I denied my home IP (which is the one being spoofed/forged), and I am then solidly 403'd whenever I try to access the site from my home IP. That works like it should.
8:53 pm on Nov 26, 2016 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4510
votes: 348


Are you updating pages, content or css on your desktop and viewing the changes before uploading? You need to check each line in your logs that show your IP to see what files are being requested and see if those files might be included as part of a page you've viewed on your computer for editing. If you are using complete URLs (rather than relative URLs) for images and css those files would come from your website, not your computer.

If the logs show your IP requesting supporting files (.png, .jpg, .css for example) but not the page itself, that could be normal during editing - more so if it is WordPress because that's you on your IP editing it.
9:00 pm on Nov 26, 2016 (gmt 0)

Junior Member

5+ Year Member Top Contributors Of The Month

joined:Sept 13, 2013
posts: 193
votes: 1


Whoa, whoa, whoa! Just before I did that latter test on one of the other machines, I got a spoofed/forged request with my modified user agent. It's that machine! That request has the funny Twitter referer. I NEVER MADE THAT REQUEST. That machine is doing it all by itself. That action seems to be prompted by activity I'm doing on that machine.

OK, that machine is a MacBook 4.1 running 10.6.8 and Firefox 48.0.2. How in the world do I chase down an application like that which seems to have developed a mind of it's own? This was a machine I inherited a number of years ago. The installed extensions and plugins appear to be from reputable sources. But it is making requests on my website that I never commanded, in one case using a referer I never even knew about.

I guess I need to at least clean out Firefox on that machine and reinstall. Hope it isn't something more OS-specific.

I guess I am relieved that someone isn't spoofing or forging my IP, except that maybe they're doing it through one of my own machines.
9:07 pm on Nov 26, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


If you have that machine or its browser set to sync, it may be hitting the last page it was on. You could re-set the sync settings, turn that machine off or just ignore it.
9:30 pm on Nov 26, 2016 (gmt 0)

Junior Member

5+ Year Member Top Contributors Of The Month

joined:Sept 13, 2013
posts: 193
votes: 1


What does "re-set the sync settings" mean? But yes, I will try rebooting.
9:35 pm on Nov 26, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 29, 2005
posts:10457
votes: 1091


Try disabling third party cookies and js ... FF has a tendency to "help" too much. Also remove any plug-ins or add on extensions. Disable network.prefetch in about:config
9:58 pm on Nov 26, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


What does "re-set the sync settings" mean?
Both Windows & Mac will sync (if you allow it) to online files or resources (example: iTunes.) Sometimes this is the last page your browser visited.
10:17 pm on Nov 26, 2016 (gmt 0)

Junior Member

5+ Year Member Top Contributors Of The Month

joined:Sept 13, 2013
posts: 193
votes: 1


Ah yes. No, I haven't set up my browser to do that. But I did at least delete the cache. Rebooting doesn't do that. I have never been aware that a browser could do this kind of crap before. It can't be malware being controlled from outside, because I have pretty strong firewalls. But that Firefox does seem to have a mind of its own. I have no third party cookies, and my applications and plug-ins are all from reputable sources (Cisco, Apache, Google, etc.)
6:32 pm on Nov 27, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15874
votes: 870


Oh, wait, wait. Does your browser have a default new window that shows thumbnails of your most recently visited pages? (Firefox occasionally pulls this on me, although not very often because I've set everything possible to Blank Page.) A reasonable person would assume those are taken from the browser's cache, but in fact they tend to be fresh requests made every time the screen is displayed. So they'll show up in logs exactly like a human visit.
7:04 pm on Nov 27, 2016 (gmt 0)

Junior Member

5+ Year Member Top Contributors Of The Month

joined:Sept 13, 2013
posts: 193
votes: 1


When I do a "New Tab" on my Firefox, it indeed comes up with thumbnails of recently visited pages. I should say that I deleted the cache, and these odd requests stopped. Then I looked at a page on my site with this machine and, a few hours later, that page was polled from my site. So it's grabbing stuff in my cache and reloading it. But I hardly ever do "New Tab", so that isn't what is driving it. Oddly, it's just from this particular machine, running Firefox 48. The machine I use for more routine and regular browsing isn't doing this. So it's something funny about the way Firefox is set up on this one machine.

My apologies, as this evidently isn't an Apache or even a webserver issue. But the information given to me here has been very useful, especially that IPs are not easily spoofed.