next »

[d3xt3r]

I, and many others here have been using a script to correctly obtain IP's for users when they are using "www" or non-"www" addresses.. However, as I have seen, and Uberwalla has pointed out, it is subject to IP spoofing.. A user can make their IP anything by setting the "HTTP_X_FORWARDED_FOR" IP to anything they choose. Most commonly "127.0.0.1" in my logs...

I should note, in the right circumstances, it might be possible for them to re-set their "HTTP_X_FORWARDED_FOR" address during the process, and still spoof. So I would suggest using no "www" addresses until 110mb uses a different system than the current internal proxy.

Old Script

Code:

$ip=isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

Here is a script that bypasses this issue.. However, you do not need to use this script, if you force users to NOT use "www", which is the best option.. More here:
http://www.110mb.com/forum/scripts-php-script-htaccess-removing-www-or-adding-to-site-piotr-grd-t31345.0.html


New script:

Code:

<?php
$ip=$_SERVER['REMOTE_ADDR']=="CHANGE_THIS_TO_SERVER_IP" && isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
?>

This script can be used to set the variable $ip as the users IP address... Instead of the old way. This works in this order..

IF "REMOTE_ADDR" Is your servers IP address AND there is a "HTTP_X_FORWARDED_FOR" present. Then use "HTTP_X_FORWARDED_FOR" otherwise use "REMOTE_ADDR" because its probably a spoof.

You need to change "CHANGE_THIS_TO_SERVER_IP" in the script to your servers IP address: Example for Box 4: "195.242.99.89"

You can get a up-to-date list of 110mb IP's at http://d3xt3r.net/stats110/ - In one of the drop down left modules..

And special thanks to Uberwalla for bringing up this issue.

EDIT:
These are IP's of different 110mb servers as of time of posting.. I will NOT be updating these here.. See Stats110 for updated information...

Box 4
195.242.99.89

Box 5   
195.242.99.184

Box 9
195.242.99.208

Box 10
195.242.99.192

Box 11
195.242.99.215

Box 12
195.242.99.91

Box 13
64.191.15.150

Box 14
66.197.252.182

[aldo]

This is faster:

$ip= $_SERVER['HTTP_X_FORWARDED_FOR'] ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

[d3xt3r]

This is faster:

$ip= $_SERVER['HTTP_X_FORWARDED_FOR'] ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

Thats not going to work.. This would...

Code:

$ip=isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

However, as I said above, its VERY easy to spoof.. This code might work as well with the new script...

Code:

$ip=$_SERVER['REMOTE_ADDR']=="195.242.99.89" && isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];

Haven't tested it yet.

EDIT: Tested and changed to easier one line script.. But still Aldo, your code won't work, and the one I posted in the tutorial at the start is VERY easy to spoof. I could visit your site, and pretend to be you.

[aldo]

if $_SERVER['HTTP_X_FORWARDED_FOR'] was empty, it would be treated as a false, and would then fall back on $_SERVER['REMOTE_ADDR'], but if $_SERVER['HTTP_X_FORWARDED_FOR'] was not empty, it would be treated as true, and then $ip would equal $_SERVER['HTTP_X_FORWARDED_FOR'];

[uberwalla]

Great tutorial! this will be excellent for those using your xdd, mysql, sqlite, etc.

This should help everyone keep valid stats for their websites, and help prevent web threats with hopes of tracking the right ip.

[d3xt3r]

if $_SERVER['HTTP_X_FORWARDED_FOR'] was empty, it would be treated as a false, and would then fall back on $_SERVER['REMOTE_ADDR'], but if $_SERVER['HTTP_X_FORWARDED_FOR'] was not empty, it would be treated as true, and then $ip would equal $_SERVER['HTTP_X_FORWARDED_FOR'];

Okay, then maybe yours would work.. But still prone to Spoofing.. I've seen it myself.. People showing up as 127.0.0.1

This is what the new script protects.. I will explain it clearer...

If somebody visits http://www.d3xt3r.net this is what the info would show:

$_SERVER['REMOTE_ADDR']: 195.242.99.89 (Server IP)
$_SERVER['HTTP_X_FORWARDED_FOR']: 123.456.789.1 (There IP)

So this script would give the 123.456.789.1 address....

Now, if they were using this address: http://d3xt3r.net

$_SERVER['REMOTE_ADDR']: 123.456.789.1 (Real IP)
$_SERVER['HTTP_X_FORWARDED_FOR']: 127.0.0.1 (SPOOF IP)

Yours would give: 127.0.0.1

Mine would give: 123.456.789.1 REAL IP

See now?

So, really by implementing your script to GET real IP, your making a security loophole.

And also, I believe when the system proxies the address into non-www, it makes "HTTP_X_FORWARDED_FOR" their actual IP from "REMOTE_ADDR".

[aldo]

http://www.nosql.110mb.com/ip.php
http://nosql.110mb.com/ip.php

So, yeah, lol.

[uberwalla]

Both www and non-www on there allow me to spoof my ip as my real one.

edit: now when I go non www shows my spoofed ip, and www shows "my spoofed ip, myrealip" it shows both seperated by a coma

WWW

real ip: This is a fake ip, (my real ip)
$_SERVER['HTTP_X_FORWARDED_FOR'] = This is a fake ip, (my real ip)
$_SERVER['REMOTE_ADDR'] = 66.197.252.182

NON-WWW

real ip: This is a fake ip
$_SERVER['HTTP_X_FORWARDED_FOR'] = This is a fake ip
$_SERVER['REMOTE_ADDR'] = (my real ip)

[1337squad]

It doesn't work if you use proxies lmfao... Still haven't found anything to stop that xD

[d3xt3r]

It doesn't work if you use proxies lmfao... Still haven't found anything to stop that xD

But still, this helps get the "real" IP of the proxy.

[inp o҉rtb]

Yeah, this doesn't work on elite proxies, but it does protect against X_FORWARDED_FOR spoofage. Nice tip, D3xt3r and uberwalla.

@aldo: the reason your one-liner won't work is that even if I'm not behind a proxy, I can set my X_FORWARDED_FOR variable and fool your script.

[d3xt3r]

I never considered this, until I noticed that my security system was being bypassed by "localhost" (Fake localhost)

Then I realized, same hosts were showing 2 IP's (Remote and X), and Uberwalla brought it up. Too bad that 80% of PHP users are already using the original script. But I suppose in most practical situations it won't hurt.

[Piotr GRD]

I don't even know how to set that kind of variables by myself while connecting anywhere.
But I guess that lot's of peoples know.


Anyway, one little thing that will be usefull for peoples who don't know or have a problems with finding IP of the server:

This: "CHANGE_THIS_TO_SERVER_IP" is unnecessary.
You can use $_SERVER['SERVER_ADDR'] instead.

Code:

<?php
$ip=$_SERVER['REMOTE_ADDR']==$_SERVER['SERVER_ADDR'] && isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
?>

^{_{Wirtualny klub snookerowy Free Ball Forum klubu snookerowego Free Ball Klub Free Ball - ogłoszenia Klub Free Ball - gry Piłkarzyki, futbol stołowy, foosball Foosball, table football, table soccer Jezioro Szmaragdowe w Szczecinie Emerald Lake in Stettin, Poland
For my own visits counter I am using "if ($_SERVER['REMOTE_ADDR'] == $_SERVER['SERVER_ADDR']) { ..." for a long time already.}}



And some additional thing - remember that if you are going trough more than one proxy then HTTP_X_FORWARDED_FOR will contain (should contain) more IPs separated by commas (1.2.3.4,5.6.7.8,etc.). If anyone want/need to have a very precise data then need to remember about this.

But for normal usage even if HTTP_X_FORWARDED_FOR is faked - there is no big deal.

[ESI Portal]

If i use SOCK 4 or SOCK 5. What's happens ? Your  code can to detect my real ip address

Note: I don't like proxies

[inp o҉rtb]

I don't even know how to set that kind of variables by myself while connecting anywhere.
But I guess that lot's of peoples know.

That's an HTTP request header. If you telnet to an HTTP server, you can set it manually and see what happens. I'm guessing there are tools out there that let you set request headers manually... like a Firefox extension.

And some additional thing - remember that if you are going trough more than one proxy then HTTP_X_FORWARDED_FOR will contain (should contain) more IPs separated by commas (1.2.3.4,5.6.7.8,etc.). If anyone want/need to have a very precise data then need to remember about this.

Hm, that's a good point.