5 Replies Latest reply on Sep 9, 2013 2:16 AM by asabban

    accesslog shows IP Addresses not authenticated

    MrKaos

      We are using authentication against our active directory then anyone can´t surf in the internet without authentication, the problem is as follow:

      I'm seeing the acccess logs and I can see normal logins, something like this: (username, internal address, etc , etc)

       

      [25/Jul/2013:11:20:02 -0500] "LLINARES" 172.17.67.12 200 "GET http://www.sat.gob.mx/sitio_internet/imagenes/bannerPOT_v3.jpg HTTP/1.1" "Government/Military" "Minimal Risk" "" 6030 "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0; MALC)" "" "0"

      [25/Jul/2013:11:20:02 -0500] "JARGUELLES" 172.17.43.62 204 "GET http://clients1.google.com.mx/generate_204 HTTP/1.1" "Search Engines" "Minimal Risk" "" 221 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB7.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" "" "0"

      however I see other kind of logs on the accesslog files, they are not authentecated IP addresses, I'm worried because are Internet IP addresess,  like this

       

      [25/Jul/2013:11:12:48 -0500] "" 109.169.84.117 200 "CONNECT 204.79.197.200:80 HTTP/1.1" "" "-" "" 27223 "" "" "0"
      [25/Jul/2013:11:09:35 -0500] "" 109.169.40.116 200 "CONNECT 204.79.197.200:80 HTTP/1.1" "" "-" "" 37428 "" "" "0"
      [25/Jul/2013:11:09:36 -0500] "" 93.170.131.15 200 "CONNECT 205.188.27.208:443 HTTP/1.1" "" "-" "" 5168 "" "" "0"

      [25/Jul/2013:11:09:36 -0500] "" 93.170.131.15 200 "CONNECT 205.188.27.208:443 HTTP/1.1" "" "-" "" 5168 "" "" "0"
      [25/Jul/2013:11:09:36 -0500] "" 93.170.131.15 200 "CONNECT 205.188.27.208:443 HTTP/1.1" "" "-" "" 5168 "" "" "0"
      [25/Jul/2013:11:09:38 -0500] "" 91.121.8.219 200 "CONNECT ropeaccessnation.ning.com:80 HTTP/1.1" "" "-" "" 9145 "" "" "0"

      [25/Jul/2013:11:11:42 -0500] "" 198.211.21.171 200 "CONNECT tw.newlogin.beanfun.com:80 HTTP/1.1" "" "-" "" 229 "" "" "0"
      [25/Jul/2013:11:11:42 -0500] "" 62.233.42.226 200 "CONNECT mikelcelestial.com:80 HTTP/1.1" "" "-" "" 2942 "" "" "0"
      [25/Jul/2013:11:11:42 -0500] "" 31.210.126.230 200 "CONNECT steamcommunity.com:443 HTTP/1.1" "" "-" "" 5999 "Opera/9.80 (Android 2.3.3; Linux; Opera Mobi/ADR-1111101157; U; es-ES) Presto/2.9.201 Version/11.50" "" "0"

      [25/Jul/2013:11:11:43 -0500] "" 82.39.176.35 200 "CONNECT www.tanjas-perlenzauber.de:80 HTTP/1.1" "" "-" "" 31613 "" "" "0"

      [25/Jul/2013:11:11:43 -0500] "" 60.166.205.6 200 "CONNECT www.google.co.bw:443 HTTP/1.1" "" "-" "" 9001 "" "" "0"

      [25/Jul/2013:11:11:43 -0500] "" 82.39.176.35 200 "CONNECT wiki.keyboardmaestro.com:80 HTTP/1.1" "" "-" "" 12305 "" "" "0"

      [25/Jul/2013:11:11:43 -0500] "" 5.149.147.79 200 "CONNECT account.sonyentertainmentnetwork.com:443 HTTP/1.1" "" "-" "" 8452 "" "" "0"
      [25/Jul/2013:11:11:45 -0500] "" 31.210.126.230 200 "CONNECT steamcommunity.com:443 HTTP/1.1" "" "-" "" 5519 "Opera/9.80 (Android 2.3.3; Linux; Opera Mobi/ADR-1111101157; U; es-ES) Presto/2.9.201 Version/11.50" "" "0"
      [25/Jul/2013:11:12:47 -0500] "" 187.242.181.73 200 "CONNECT 172.16.21.137:443 HTTP/1.0" "" "-" "" 145 "" "" "0"

      [25/Jul/2013:11:12:47 -0500] "" 207.254.7.74 200 "CONNECT premium.rpnet.biz:443 HTTP/1.1" "" "-" "" 11263 "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" "" "0"

      [25/Jul/2013:11:12:47 -0500] "" 198.211.21.171 200 "CONNECT tw.newlogin.beanfun.com:443 HTTP/1.1" "" "-" "" 6265 "" "" "0"
      [25/Jul/2013:11:12:48 -0500] "" 78.159.112.252 200 "CONNECT m.facebook.com:443 HTTP/1.1" "" "-" "" 894 "RLel734unhbyC4 g" "" "0"

      [25/Jul/2013:11:14:55 -0500] "" 94.23.120.244 200 "CONNECT www.fotzen-ficken.net:80 HTTP/1.1" "" "-" "" 12601 "" "" "0"

      [25/Jul/2013:11:14:55 -0500] "" 37.147.44.196 200 "CONNECT 62.141.94.45:38223 HTTP/1.1" "" "-" "" 172 "" "" "0"

      [25/Jul/2013:11:14:55 -0500] "" 91.237.249.168 200 "CONNECT blekko.com:80 HTTP/1.1" "" "-" "" 15335 "" "" "0"

      [25/Jul/2013:11:14:56 -0500] "" 87.9.192.173 200 "CONNECT www.spotify.com:443 HTTP/1.1" "" "-" "" 3222 "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1" "" "0"
      25/Jul/2013:11:14:57 -0500] "" 176.97.28.97 200 "CONNECT lossantosshare.web44.net:80 HTTP/1.1" "" "-" "" 346 "" "" "0"
      [25/Jul/2013:11:14:58 -0500] "" 198.27.68.105 200 "CONNECT www.christianteenagers.net:80 HTTP/1.1" "" "-" "" 18678 "" "" "0"
      [25/Jul/2013:11:14:58 -0500] "" 107.15.30.33 200 "CONNECT 107.14.46.26:80 HTTP/1.1" "" "-" "" 37052 "" "" "0"

      [25/Jul/2013:11:15:39 -0500] "" 91.236.74.176 200 "CONNECT bestbasslures.org:80 HTTP/1.1" "" "-" "" 1026 "" "" "0"

      [25/Jul/2013:11:20:01 -0500] "" 62.233.42.226 200 "CONNECT benjamin.sipsolutions.net:80 HTTP/1.1" "" "-" "" 11079 "" "" "0"

      Why is happening this, someone knows about this.

      I'm appreciate your help.

      Thanks

      kaos

       

       

      [25/Jul/2013:11:20:02 -0500] "e-COMMERCE" 172.17.45.3 200 "CONNECT fbstatic-a.akamaihd.net:443 HTTP/1.0" "Social Networking" "Minimal Risk" "" 1291 "" "" "0"

      [25/Jul/2013:11:20:02 -0500] "e-COMMERCE" 172.17.45.3 200 "CONNECT fbstatic-a.akamaihd.net:443 HTTP/1.0" "Social Networking" "Minimal Risk" "" 1291 "" "" "0"