Re: Odd login attempts noted in logs.

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/22/02


From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Thu, 21 Nov 2002 20:57:32 -0500


"Bret" <bretj@cfl.rr.com> wrote in message
news:9f14ce0d.0211211601.73c0f206@posting.google.com...

> Thanks for the quick response bud!
> Seeing the IP addresses would not be an issue if the web site in
> question was not reverse-proxied. (My sniffer of choice is "ethereal"
> btw.) Ideally, I would compare the proxy logs with my own in order to
> determine the originating address. Unfortunately, I cannot get those
> proxy logs (easily). I manage quite a few web sites and see the
> typical "anonymous", "admin", "guest", etc., attempts to hit my sites
> quite a bit. Those are not an issue or concern. I am trying to
> determine what the odd-ball logon attempts are for no more reason than
> to understand what's going on. Why the heck would someone be trying to
> logon to my website 2-3 times as "www.sundancerpontoons.com" or a
> couple times as "www.riverdancerealty" (note the addition or absence
> of ".com". They are obviously not a brute force attempt at my system.
> I am also not seeing this on any of my other public accessable
> systems. Weird.

Yeah, I have no idea why that would happen, but you're right, someone must
be confused and you'll never know why. Confusing email addresses and URLs
is a common newbie mistake, so I'm guessing this is maybe someone who isn't
very computer literate.

You're right, I didn't consider the proxy... if your proxy server is NATting
the IP addresses so that you can't tell the origin, then I don't think
there's any other way to get the IP address besides getting the proxy server
logs or being able to sniff the traffic on the other side of the proxy
server. This could probably be done safely if you're careful, though you
might get some objection from whoever manages the proxy server or your
security administrators.



Relevant Pages

  • Re: My proxy server has died
    ... proxy, IIS or any other failure at the time the PS stopped working. ... > Have you applied the Code Red Patches ... Default Web Site and Administration Web Site have disappeared. ... >> do to recover the Proxy Server? ...
    (microsoft.public.backoffice.smallbiz)
  • Re: Workaround for error code 80072EFD download critical updates failed
    ... Explorer on clients that have proxy servers, and must be set directly at the ... Open a single Internet Explorer browser and check proxy settings. ... Remember the name and port of this proxy server. ... Enter "Windows Update" in the Name field, ...
    (microsoft.public.windowsupdate)
  • Re: Trend Micro and Proxy Server
    ... Les Connor [SBS Community Member - SBS MVP] ... from "use a proxy server" in IE. ... remove the tick from "use a proxy server" in IE - if that ... than to just turn off the proxy in the server's IE settings. ...
    (microsoft.public.windows.server.sbs)
  • Re: My proxy server has died
    ... Have you applied the Code Red Patches ... > proxy server stopped working. ... Default Web Site and Administration Web Site have disappeared. ... > do to recover the Proxy Server? ...
    (microsoft.public.backoffice.smallbiz)
  • Re: Trend Micro and Proxy Server
    ... Les Connor [SBS Community Member - SBS MVP] ... from "use a proxy server" in IE. ... remove the tick from "use a proxy server" in IE - if that ... IE's use proxy settings. ...
    (microsoft.public.windows.server.sbs)