Can it be done?.

We have started getting visits (well one to be precise) from someone on our forum but there is no ip address showing :confused: .
Being as we had a hacker last month, i thought it would be best to try and figure out a way of tracking this mystery guest.

Any ideas?

Hmm. When you say that no IP has been logged, you mean in your vbulletin logs? Probably a bug.

I'd guess that unless you're hosting your own server on your own infrastructure, it's unlikely that you'll get to find out unless you can get your hands on your hosting company's firewall/router/IDS logs.

It could be a bug :(. We can see the browser etc.. but not the IP address :confused: . We just wanted to check for security reasons but we had another visitor with no IP tonight and nothing happened. I hope it's a bug anyway! ;)

Speak to me on msn i can prolly help you : )

Sounds like it's an issue with the way vB detects the source IP.
Some proxies or anonymiser/sanitisers may strip out the information that you rely on to grab the source IP.

http://www.theadminzone.com/forums/showthread.php?t=4234

You may be able to find it with a network analyzer. There's a free program called Ethereal which will capture and display all the packets on the network. We use it at work and it's better than most packages that cost thousands of ££££'s.
A quick Google should find it.

If you have access to the raw http access log files you can easily find the ipaddress by finding the rough time when they were using the site in the logs and the corresponding access information. The logs will show what pages have been accessed so you can also see if people have been sniffing around looking for areas that can be weak in security.

Thanks for the replys guys :thumbs:

LesMcQueen: I think you hit the nail on the head there!. We have now had 3 visits with no ip and they have been different browsers every time. It is looking more and more like a bug in VB.
That is the 4th such thread i have read now saying the same thing about VB (It would be interesting to hear if any of the mods on here have noticed similar hint, hint).

We'll have to wait and see if any script kiddies are trying to do any damage :( and i'll come a calling again then!;).

Thanks again

Vidster

Its impossible for them not to have an IP address - otherwise they wouldn't be able to route anything to or from your site.
It's most likely a coding error as mentioned - although if they have already owned your site they may have altered the code so it does not log their static IP. They're amatuers if it is that as they should be clearing the log of their visits entirely to hide their tracks (and they shouldn't still need http to connect - they should shovel a shell back out using other means).

Have you corelated your application logs with the server (iis?) logs?