1

there is a username (USERX). It's a suspended user. It it appearing in my user login files. It always appears in the middle of someone elses attempt (USERA) to reset their password, and WITH USERA's IP.

There is no code anywhere with the phrase of USERX's user name. USERA always reports they didn't see anything on their screen having to do with USERX.

So is this USERX some hacker spoofing their IP? If so would they know the ip address to Spoof? Are they listening in somewhere? OR is there some other explanation for this odd user name showing up? How do i test for this kinda things?

My log files will look like this: (filtering just this IP)

03/29/2015 01:21 PM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 11:48 AM USERA               USERA_IP_ADDRESS    login process started   /login.php
03/29/2015 11:48 AM USERA               USERA_IP_ADDRESS    failure     /login.php
03/29/2015 11:48 AM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 11:48 AM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 11:49 AM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 11:49 AM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 11:49 AM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 01:19 PM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 01:20 PM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 01:21 PM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 01:22 PM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 01:22 PM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 04:33 PM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 04:33 PM user log opening    USERA_IP_ADDRESS                /getpassword.php
03/29/2015 04:34 PM user log opening    USERA_IP_ADDRESS                /login.php
03/29/2015 04:34 PM USERA           USERA_IP_ADDRESS    login process started   /login.php
03/29/2015 04:34 PM USERA           USERA_IP_ADDRESS    success         /login.php
03/29/2015 01:22 PM USERX           USERA_IP_ADDRESS    success-suspended   /getpassword.php
danjfoley
  • 111
  • 2

1 Answers1

1

First of all, you can't spoof your IP on a TCP connection. Spoofed IPs are broadcast-only.

As for being able to tell if a user is relaying or proxying his traffic off another computer, some tell-tale signs might include:

Though often it doesn't matter. If it's a single attacker or multiple attackers exhibiting the same behavior, is there a difference? If a single attacker logs in from multiple computers in multiple locations, is that functionally different from relaying his traffic through proxies?

Consider all suspicious activity by its own merits. If it looks like someone is doing something they shouldn't be, then your best bet is to take action to protect against that behavior, not protect against that person. If a system is under attack, then secure the system; alter it so that the attacker can't succeed.

Community
  • 1
tylerl
  • 83,435
  • 26
  • 152
  • 232
  • I run acunetix scans of the site every week. Fix security issues right away. It's not reporting any at the moment.

    If you can't forge an IP over TCP then this USERX username must be coming from the IP of USERA. THe question is HOW.

     – danjfoley Mar 30 '15 at 15:47