Re: Odd login attempts noted in logs.

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/22/02


From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Thu, 21 Nov 2002 20:57:32 -0500


"Bret" <bretj@cfl.rr.com> wrote in message
news:9f14ce0d.0211211601.73c0f206@posting.google.com...

> Thanks for the quick response bud!
> Seeing the IP addresses would not be an issue if the web site in
> question was not reverse-proxied. (My sniffer of choice is "ethereal"
> btw.) Ideally, I would compare the proxy logs with my own in order to
> determine the originating address. Unfortunately, I cannot get those
> proxy logs (easily). I manage quite a few web sites and see the
> typical "anonymous", "admin", "guest", etc., attempts to hit my sites
> quite a bit. Those are not an issue or concern. I am trying to
> determine what the odd-ball logon attempts are for no more reason than
> to understand what's going on. Why the heck would someone be trying to
> logon to my website 2-3 times as "www.sundancerpontoons.com" or a
> couple times as "www.riverdancerealty" (note the addition or absence
> of ".com". They are obviously not a brute force attempt at my system.
> I am also not seeing this on any of my other public accessable
> systems. Weird.

Yeah, I have no idea why that would happen, but you're right, someone must
be confused and you'll never know why. Confusing email addresses and URLs
is a common newbie mistake, so I'm guessing this is maybe someone who isn't
very computer literate.

You're right, I didn't consider the proxy... if your proxy server is NATting
the IP addresses so that you can't tell the origin, then I don't think
there's any other way to get the IP address besides getting the proxy server
logs or being able to sniff the traffic on the other side of the proxy
server. This could probably be done safely if you're careful, though you
might get some objection from whoever manages the proxy server or your
security administrators.