I was checking my logs, and I see this IP visiting my site for the 12th time today 10.4.1.52 I did a whois chack, and this is what I see Any idea of what this is?
10.x.x.x is a non-routable class-A. So if you are seeing hits from that IP, it's coming from inside the network the server is on. Look at the time-frame of the requests, does it seem to be on a schedule (hourly for example)? It could be internal probes where your server is located to monitor which servers are up/down. Non-routable address blocks are as follows: 10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255 If you are *really* bored, you can read the RFC on it: http://www.ietf.org/rfc/rfc1918.txt
Maybe one of your internal computers are infected with a scanner virus Because most of the time computers don't do such scans unless they are infected by something.
If you see this as a part of the referrer URL, this is just somebody behind a firewall clicking on their stats, or something along thee lines. If it's actually a hit from this address, it is either someone from your local network making a request or somebody spoofing an IP address (often some services can be accessed when the address is local and hackers try to use this to their advantage). Look at the usage pattern - if it's just usual browsing, most likely it's someone on your local network (it could be someone from the IDC, etc). J.D.
Oh, well, I guess it isn't important. It just freaked me out when I saw that weird organization's name, sounded like if someone was investigating me, lol
See what's your IP like. On a Windows machine type ipconfig; on a Unix machine type /sbin/ifconfig. If your address is similar to this one (e.g. only last quad is different, etc), then it's probably someone on the same subnet looking at your site. Next time you see this, look at the kind of requests they are making. This should give you a clue about what they are up to. J.D.
I often see rfc1918 addresses hitting my firewall - where they get dropped. I often mean to try and find out how this IP spoofing works - somewhere in the packet must be the real IP address or there'd be no route back. I mean, my server has no route to any RFC1918 addresses so what's the point.
Here's one of the ways IP address can be spoofed (there are other ways). A bit of background first: When two hosts are communicating over TCP/IP, each packet is accompanied by a sequence number that ensures proper data exchange (i.e. no packets are lost, packets are assembled in the proper order, etc). The initial TCP spec described sequence numbers used for each new connection as something that was easy to predict. For example, if you established a connection with a server and got a sequence number X, you could predict with a high probability that the next sequence number would be f(X). Back to the spoofing: * The attacker connects to the victim's server and gets a sequence number X * The attacker makes sure that the spoofed host is down (waiting or shutting it down through something like a DoS attack) * The attacker creates a raw TCP packet with the source address of the spoofed host and sends it to the server (no sequence number here yet) * The server responds, sending a packet to the spoofed machine, accompanying the response packet with a sequence number Y * The attacker waits for a reasonable time and blindly sends another packet with a sequence number based the predicted number Y = f(X) * The attacker keeps sending packets blindly, incrementing the predicted sequence number and never getting any response. For example, if you spoof a telnet session, you don't need responses - you can just blindly execute a few commands to initiate a valid server-initiated session with the attacker's machine Modern OSes generate sequence numbers randomly, minimizing chances of spoofing. However, firewalls need to be configured poperly to drop packets with spoofed private-range IPs. J.D.