justinrh 260 Posted September 22, 2021 Posted September 22, 2021 (edited) I connected to my Emby server from the my company's VPN network. Can someone explain this odd IP and the 404 response? xxx.yyy is the my IP. 2021-09-21 18:12:46.046 Info Server: http/1.1 GET https://xxx.yyy.108.208/login. UserAgent: Mozilla/5.0 zgrab/0.x 2021-09-21 18:12:46.047 Info Server: http/1.1 Response 404 to 192.241.218.38. Time: 1ms. https://xxx.yyy.108.208/login Never mind, I figured it out. Edited September 22, 2021 by justinrh realized my mistake
Carlo 4561 Posted September 22, 2021 Posted September 22, 2021 You will want to edit your post. If you hover your mouse over those links the IP is there and the link is valid. But there is no login page at that URL so the 404 error is valid.
justinrh 260 Posted September 22, 2021 Author Posted September 22, 2021 Thanks for the link note! 1) Right, but why is that IP address there at all? Where did it come from? 2) What is the syntax of that second line? I don't understand what the server is logging. <response> <remote IP>
Luke 42086 Posted September 22, 2021 Posted September 22, 2021 Quote 1) Right, but why is that IP address there at all? Where did it come from? You'll have to ask whoever is behind that ip address. If you've ever looked at your phone call log and wondered why some number you didn't recognize was there, it's the same thing. 1
justinrh 260 Posted September 22, 2021 Author Posted September 22, 2021 @Luke Can you answer (2)? The only IPs I'd expect to be involved would be the local IP and the remote IP. I might not recognize a phone number, but I do know that someone called and I know how the number got logged
Luke 42086 Posted September 22, 2021 Posted September 22, 2021 1 hour ago, justinrh said: @Luke Can you answer (2)? The only IPs I'd expect to be involved would be the local IP and the remote IP. I might not recognize a phone number, but I do know that someone called and I know how the number got logged I can't really answer a question about your own network environment. All I can say is what the log says: something at ip address 192.241.218.38 send a request to https://xxx.yyy.108.208/login I can't tell you what, who, or why, although the presence of zgrab in the user agent might give you a clue (to google it). Considering that url doesn't even exist in the emby server api, that sounds like something on the network that is scanning devices and sniffing around for services.
Carlo 4561 Posted September 22, 2021 Posted September 22, 2021 It's likely some network tool using the zmap toolkit. https://github.com/zmap First thing to do is identify what device/machine is running on that IP. Then you can take a look at it to see what programs or services is running on it. It could be anything from a network uptime checker to a security monitor/checker to something scanning the network and trying to determine what's running on each host.
justinrh 260 Posted September 22, 2021 Author Posted September 22, 2021 @Luke I wasn't asking for details you can't know. I was just asking how to interpret the log entry and how that scenario might happen. With your last reply, I have a hint now. I'm starting to understand better. Thanks. @cayars Thanks for the infos! 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now