[Gllug] IP address changes

Alain Williams addw at phcomp.co.uk
Sun Nov 26 12:40:18 UTC 2006 

I have a problem where is seems that IP addresses are changing rapidly, AOL users
seem particularly badly affected.

What is this about ?
I implement some (php) session protection by noting the IP address
that the requests are coming from. If this IP address changes I decide that someone
is attempting to hijack the session. I have seen a spate of these, with most
of them from addresses like 195.93.21.40 becoming 195.93.21.138 (AOL).
I have also seen 2 where the address block belongs to Energis.

Does this mean that I can't use an IP address as a constant in a web session ?
I accept that occasionally an address may change when the ISP DHCP lease
expires, but hopefully that will not be often.

Do AOL have proxies and the proxy that a user uses can be different every time ?
If so then this blows my protection mechanism completely.

To give you an idea of what is happening there is a setcion of my log files below (usernames & URL anonymised):

Nov 19 12:48:31  [alert] Session hijacked, remote 84.70.248.103 was 84.70.24.239 User: user2 URL: /Somewhere/DoUserAdmin.php
Nov 19 15:55:10  [alert] Session hijacked, remote 195.93.21.72 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 15:55:33  [alert] Session hijacked, remote 195.93.21.72 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 15:55:42  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 15:57:23  [alert] Session hijacked, remote 195.93.21.2 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 15:57:40  [alert] Session hijacked, remote 195.93.21.135 was 195.93.21.72 User: unknown URL: /Somewhere/index.php
Nov 19 15:57:53  [alert] Session hijacked, remote 195.93.21.72 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 15:58:07  [alert] Session hijacked, remote 195.93.21.2 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 15:58:15  [alert] Session hijacked, remote 195.93.21.135 was 195.93.21.72 User: unknown URL: /Somewhere/index.php
Nov 19 15:58:22  [alert] Session hijacked, remote 195.93.21.72 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 15:58:30  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 15:58:57  [alert] Session hijacked, remote 195.93.21.135 was 195.93.21.72 User: unknown URL: /Somewhere/index.php
Nov 19 15:59:29  [alert] Session hijacked, remote 195.93.21.135 was 195.93.21.72 User: unknown URL: /Somewhere/index.php
Nov 19 16:00:19  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:00:37  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:00:57  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:01:09  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:01:22  [alert] Session hijacked, remote 195.93.21.5 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:01:35  [alert] Session hijacked, remote 195.93.21.65 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:01:48  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:02:01  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:02:12  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:02:23  [alert] Session hijacked, remote 195.93.21.2 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:03:34  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:04:18  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:06:02  [alert] Session hijacked, remote 195.93.21.65 was 195.93.21.33 User: unknown URL: /Somewhere/index.php
Nov 19 16:07:26  [alert] Session hijacked, remote 195.93.21.135 was 195.93.21.33 User: unknown URL: /Somewhere/index.php
Nov 19 16:07:39  [alert] Session hijacked, remote 195.93.21.72 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 16:07:43  [alert] Session hijacked, remote 195.93.21.72 was 195.93.21.135 User: unknown URL: /Somewhere/index.php
Nov 19 16:07:59  [alert] Session hijacked, remote 195.93.21.135 was 195.93.21.72 User: unknown URL: /Somewhere/index.php
Nov 19 16:08:14  [alert] Session hijacked, remote 195.93.21.135 was 195.93.21.72 User: unknown URL: /Somewhere/index.php
Nov 19 16:08:39  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:08:57  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:09:31  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:09:48  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:10:19  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:10:36  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:10:52  [alert] Session hijacked, remote 195.93.21.33 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:11:08  [alert] Session hijacked, remote 195.93.21.5 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 19 16:11:23  [alert] Session hijacked, remote 195.93.21.65 was 195.93.21.135 User: user1 URL: /Somewhere/index.php
Nov 20 16:22:06  [alert] Session hijacked, remote 195.93.21.72 was 195.93.21.135 User: unknown URL: /Somewhere/index.php

TIA

-- 
Alain Williams
Parliament Hill Computers Ltd.
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/

#include <std_disclaimer.h>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list