[squid-users] Strange source-IP-addresses in access.log

From: Boosten, Peter <Peter.Boosten@dont-contact.us>
Date: Thu, 28 Mar 2002 12:07:06 +0100

# # -----Original Message-----
# # From: Henrik Nordstrom [mailto:hno@marasystems.com]
# #
# # More likely the site is making HTTP calls back to your
# proxy for some
# # reason.
# #
# # A tcpdump should tell in more detail what is going on there..
# #
# # Squid get's the client IP address from the TCP/IP connection it
# # accepted.
#
# We just upgraded to 2.4STABLE2 (with all patches) and the
# problem resolved.
#
# I still suspect that 2.2STABLE4 had some bug in it.
#

I seem to have been a bit premature: The problem even got worse.
Now we've got, instead of one strange IP-address, several strange (mostly
random) IP-addresses in our logfiles. Only one IP-address shows some
resemblance with the IP-address we've discovered earlier (it used to be
132.120.4.8, now it is 96.120.4.8).

The other IP-addresses are mostly non-existing IP-addresses (those
starting/ending with zero):
0.101.207.22, 0.128.119.8, 0.145.227.13, 0.147.162.11, 0.148.72.9,
0.15.207.22, 0.152.179.8,
0.154.179.8, 0.159.160.8, 0.16.77.11, 0.162.114.8, 0.162.223.8, 0.162.9.14,
0.168.192.8,
0.17.125.13, 0.185.181.10, 0.188.113.8, 0.189.113.8, 0.190.143.22,
0.190.181.10, 0.192.199.22,
0.198.201.10, 0.203.201.10, 0.219.193.15, 0.222.199.22, 0.228.129.13,
0.228.250.19, 0.235.194.10, 0.237.194.10, 0.240.79.9, 0.247.123.8,
0.248.108.8, 0.3.24.9, 0.31.125.13, 0.33.176.9, 0.42.3.18, 0.50.190.8,
0.59.190.8, 0.61.150.8, 0.71.65.18, 0.85.194.15, 0.87.62.17, 144.119.225.0,
212.66.6.160, 96.120.4.8

Now this quote:
# # More likely the site is making HTTP calls back to your proxy for some
# # reason.

isn't valid anymore (it wasn't to begin with), because non of the
IP-addresses (as well as the original trouble-IP-address) host webservers.

How about other people start checking the IP-addresses in their logs?

Peter

Disclaimer
1. This e-mail is for the intended recipient only. If you have received it
by mistake please let us know by reply and then delete it from your system;
access, disclosure, copying, distribution or reliance on any of it by anyone
else is prohibited.

2. If you as intended recipient have received this e-mail incorrectly,
please notify the sender (via e-mail) immediately. This e-mail is
confidential and may be legally privileged. DSM does not guarantee that the
information sent and/or received by or with this e-mail is correct and does
not accept any liability for damages related thereto.
Received on Thu Mar 28 2002 - 04:07:15 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:07:10 MST