9
14 Comments

A private IP Address is shown on my Analytics inlcuding urls that i do not have on my site, what's going on?

Hello everyone,

So I am quiet concerned about this to be honest.

Been asking friends, and posted on Twitter but it looks like no one can tell me exactly what this is, and because I am thick, I need find out why this is happening.

I am trying to find out what can this be caused by, so feel free to see the open analytics.

https://stats.andreuzza.com/share/Ohpb1Fts/Colors %26 fonts

site.
-colorsandfonts.com

So let me explain, a couple of days ago, I was looking to my side project the analytics because is popular and I was interested....

Then I saw this IP

172.16.1.19

and the IP has this URLs attached.

172.16.1.12/admin
172.16.1.19
172.16.1.12/dashboard
172.16.1.12/login
172.16.1.12
172.16.1.12/register
172.16.1.12/admin/admin/add_vaccination_details
172.16.1.12/forgot-password
172.16.1.12/admin/users
http://172.16.1.12/edit_vaccination_details/983?_token=4THJVII8ioTSeiXvU6jciRs4AzAmP1oXkaPtqtd6&id=983

http://172.16.1.12/admin/users?_token=DevuVoY4h0lzqYruLLtWx5i4gZt1ltoSuRAvxpmi&search_text=srirama&department_id=

http://172.16.1.12/admin/edit_vaccination_details/1150

http://172.16.1.12/admin/edit_vaccination_details/996
http://baidu.com/

http://172.16.1.12/admin/edit_vaccination_details/1308

http://172.16.1.12/admin/edit_vaccination_details/884

http://172.16.1.12/edit_vaccination_details/1338?_token=MwS8QfwLSRYb75Owg0mGT1oSj1empqtwN9kOskgJ&id=1338

http://172.16.1.12/admin/edit_vaccination_details/818

http://172.16.1.12/admin/edit_vaccination_details/885

http://172.16.1.12/admin/edit_vaccination_details/948

http://172.16.1.12/admin?_token=ypKecsc2ECQslfjQhzv68bsBcvmu0SPxN7td1DET&search_text=&department_id=1

http://172.16.1.12/edit_vaccination_details/922?_token=UsHuQhR5cRSkbZBUtdpU0MQmHswgHykmb9sdtKmM&id=922

then I this was also a referral.

http://vs.cftri.com/forgot-password

cftri is something in India

http://www.cftri.com/

and this matches with eh URLS

Then I happen to see the the raw version and it was linking to this
https://toolkit.addy.codes/

Any clue would be deeply appreciated.

Thank you in advance,

/Mike

posted to Icon for group All Things Analytics
All Things Analytics
on July 8, 2021
  1. 3

    That's very strange... I'm thinking it may be more on your web hosting side since 172.16.x.x is private and not routable over the internet.

    My guess is "vs" in the vs.ctrfi.com stands for vaccine scheduler, and someone is/was trying to put up a new website to do vaccine scheduling in India and maybe they were using the same hosting provider as you and something went wrong in the host config so it sent the requests to you.

    I think it'd be worth reaching out to your web hosting support and explain the situation and see if they have any ideas.

    1. 1

      ahh welk, that's Netlify.

      I could absolutely do it, why not.

  2. 1

    Where is your app deployed ? Oh, nevermind, I saw now in a comment that it's netlify. My guess is some internal routing misconfiguration, since that's an internal IP...

    1. 2

      yeah, ill be asking there today. Thank you Bruno!

  3. 1

    Another option would be that the users accessing your website are behind a proxy which requires authentication for Internet access. After the user has authenticated against the proxy, a 301 will be send from the proxy containing the original requested URI:

    • User asks for your.website/register
    • HTTP(S) Proxy intercepts at 172.16.1.12 (MITM incoming...)
    • Proxy forwards internally to 172.16.1.12/register which is used as HTTP Referrer by the user's browser
    • User authenticates against proxy at 172.16.1.12
    • User's browser receives a 301 from proxy is redirected to your app.
    • Analytics app extracts HTTP Referrer

    I've seen something like in the past, but not sure if this also happens in your case.

    1. 1

      is this also possible also when my site has no registration?

      1. 2

        Genereally some organizations have interenet access only through firewalls, that case you may see all the company traffic as a single IP.

        1. 1

          so you mean like an Intranet?

  4. 1

    I don't know exactly what your stats are tracking (just pages, or pages and assets like images), but what it looks like to me is that someone cloned your website onto a private network, and it is either linking to your actual site (they didn't edit all the links), or trying to load assets from your website (they didn't change the image src).

    1. 1

      Well, my first thought was that they copied all the site and tracking script..

      This isthe site.

      Colorsandfonts.com

      no images whatsoever...

      1. 1

        There's the favicon, and the opengraph image being served from that domain.

        I'm guessing your stats service can't show you requests filtered by referrer? That would tell you exactly what's being requested.

        And/or if you somehow have access to the raw request logs, that would tell you what you need as well.

        Does the stats service have prevention in place so people can't copy your stats website-id and feed requests in?

        1. 1

          you can n see the RAW version, butis not saying much other thanthat weird UTM.

          which it happends to be where my site is featured...

        2. 1

          mmmmIam not quiet sure if Umami.is can do that. I could have a look.

Trending on Indie Hackers
IΒ spent $0 on marketingΒ and got 1,200Β website visitors -Β Here's my exact playbook User Avatar 58 comments Veo 3.1 vs Sora 2: AI Video Generation in 2025 πŸŽ¬πŸ€– User Avatar 29 comments Codenhack Beta β€” Full Access + Referral User Avatar 21 comments I built eSIMKitStore β€” helping travelers stay online with instant QR-based eSIMs 🌍 User Avatar 20 comments πŸš€ Get Your Brand Featured on FaceSeek User Avatar 18 comments Day 6 - Slow days as a solo founder User Avatar 16 comments