knifeman Posted January 8, 2010 Share Posted January 8, 2010 This IP is all over my site. 127.0.0.1 No Ip sites I have been to can identify it. Anyone here have any idea where this is? Tim Link to comment Share on other sites More sharing options...
germ Posted January 8, 2010 Share Posted January 8, 2010 This IP is all over my site. 127.0.0.1 No Ip sites I have been to can identify it. Anyone here have any idea where this is? Tim Localhost That's the IP you put in your HOSTS file (on your PC) to block a site. I can't explain how it's all over your site though. :'( If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
knifeman Posted January 8, 2010 Author Share Posted January 8, 2010 Thanks Jim, I learn new stuff every day on this forum. Tim Link to comment Share on other sites More sharing options...
MrPhil Posted January 8, 2010 Share Posted January 8, 2010 127.0.0.1 is the "loopback" address. It refers to you (your server). Can you be more specific by what you mean that it's "all over your site"? I would expect to see it in a number of places, but if you've been hacked and the hack code is doing strange things (such as attempting to read or write where it shouldn't), you might see "too much" of it. Where are you seeing the loopback address and in what context? Link to comment Share on other sites More sharing options...
knifeman Posted January 8, 2010 Author Share Posted January 8, 2010 I did not see any hack attempt. The 'customer' was viewing numerous pages. Mostly info pages like my FAQ, about us, shipping, that sort of thing. By the time I finished reading the link Jim supplied, the customer was gone. There were no strange URLs in the whos online. For some reason the IP looked different and when I checked whos online. So I tried looking it up and I could not find a location. That really puzzled me and set off the concern alarm. Tim 127.0.0.1 is the "loopback" address. It refers to you (your server). Can you be more specific by what you mean that it's "all over your site"? I would expect to see it in a number of places, but if you've been hacked and the hack code is doing strange things (such as attempting to read or write where it shouldn't), you might see "too much" of it. Where are you seeing the loopback address and in what context? Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 8, 2010 Share Posted January 8, 2010 I did not see any hack attempt. The 'customer' was viewing numerous pages. Mostly info pages like my FAQ, about us, shipping, that sort of thing. By the time I finished reading the link Jim supplied, the customer was gone. There were no strange URLs in the whos online. For some reason the IP looked different and when I checked whos online. So I tried looking it up and I could not find a location. That really puzzled me and set off the concern alarm. Tim Describe your setup for us. Do you use a hosting service? Do you own your own server? Are you running OSC on Windows XP or some other Windows box at home with a service like DynIP or DynDNS? Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
knifeman Posted January 8, 2010 Author Share Posted January 8, 2010 My stores are on a dedicated server running Linux 2.6.18-128.7.1.el5. Paid hosting. Tim Describe your setup for us. Do you use a hosting service? Do you own your own server? Are you running OSC on Windows XP or some other Windows box at home with a service like DynIP or DynDNS? Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 8, 2010 Share Posted January 8, 2010 Ok, like mrPhil said, the 127.0.0.1 address is the loopback address. The only way that address can be noted is when someone is sitting at the console of the machine using a browser, or a script is run. It could be a script that is wget'ing the code and ftp'ing it somewhere. It does not necessarily need to be in your file space. it could be anywhere on the server. Notify your host of this and see if they can make anything of it. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
knifeman Posted January 8, 2010 Author Share Posted January 8, 2010 My host had this to say: When the Apache HTTP Server manages its child processes, it needs a way to wake up processes that are listening for new connections. To do this, it sends a simple HTTP request back to itself. This request will appear in the access_log file with the remote address set to the loop-back interface, typically 127.0.0.1. These requests are perfectly normal and you do not, in general, need to worry about them. They can simply be ignored. Ok, like mrPhil said, the 127.0.0.1 address is the loopback address. The only way that address can be noted is when someone is sitting at the console of the machine using a browser, or a script is run. It could be a script that is wget'ing the code and ftp'ing it somewhere. It does not necessarily need to be in your file space. it could be anywhere on the server. Notify your host of this and see if they can make anything of it. Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 8, 2010 Share Posted January 8, 2010 My host had this to say: When the Apache HTTP Server manages its child processes, it needs a way to wake up processes that are listening for new connections. To do this, it sends a simple HTTP request back to itself. This request will appear in the access_log file with the remote address set to the loop-back interface, typically 127.0.0.1. These requests are perfectly normal and you do not, in general, need to worry about them. They can simply be ignored. I can understand that. What I do not understand is that it is making requests to specific pages in your store. Or did I read you original post incorrectly. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
knifeman Posted January 8, 2010 Author Share Posted January 8, 2010 I can understand that. What I do not understand is that it is making requests to specific pages in your store. Or did I read you original post incorrectly. No you read correctly. It was browsing specific pages. I questioned my host further. I mentioned this info coming from whos online not my access logs. Their response was: Please note that module is also working based on your domains access log and it will show whatever webserver access log have. This happened yesterday and as best as I can remember the ip was on several info pages. Shipping, faq, that sort of thing. I just flipped through my supertracker mod and could not find a record with this IP, but I know I saw it yesterday. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.