This looks to me like a badly configured HTTP server farm. You're probably hitting a web site that passes the request back to a set of servers using RFC1918 addresses. These servers should in theory either proxy their results back through the same path, or be NAT'd back to the source IP that you were attempting to connect to. I've seen this pretty frequently with a few web hosting companies. Fortunately the connection attempt keeps retransmitting and I eventually get through to a server that responds from the correct source IP. Every time I've noticed this I've e-mailed the provider and have never gotten a response. I don't recall the name of the site, but it was reasonably high-profile. I wonder if it's the same provider you're hitting. Does this sound consistent? David -----Original Message----- From: West P. [mailto:god-adminat_private] Sent: Sunday, August 26, 2001 21:21 To: incidentsat_private Subject: Weird Incoming IP's and port numbers. DATE TIME SCR SCR_PORT DEST DEST_PORT 08/25/2001 13:24:52 192.168.1.8 80 <my ip address> 3976 08/25/2001 19:04:42 192.168.1.16 80 <my ip address> 4319 08/25/2001 23:25:38 192.168.1.9 80 <my ip address> 4450 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 08:16:58 PDT