New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Has IP address been hacked on host node or in network?
I have been allocated this IP Address on my VPS. xx.xx.xx.xx
If I do http://xx.xx.xx.xx I get a page saying Knights Online Ranking and some links to http://199.19.108.86 and some other pages there. Now if I log into the SolusVM console I can see my server, but I can't ping out. Not only that whenI try to connect via SSH I get a warning that the host key has changed. Obviously another the IP address is mapped to a different container. What could be happening?
Has the host node been compromised or is some faulty network equipment mapping it to another container?
This is the second time it happened. The first time it went away after I rebooted.
Comments
Probably Ideal to remove that IP Address from the public eye.
It is over an hour now and you are still not replied back to me yet, but you are still lurking around LET?
Or somehow solusvm got confused and assigned the same IP to two customers. Or someone is trying to play tricks and steal IPs. In all cases, take this to the provider, there is nothing you can do yourself.
This is the second time and why that IP in particular, and why hasn't the other customer complained when my IP was active?
You don't know if the other customer hasn't complained. Or if he has any idea that there is a problem, either.
I am disappointed with you Jacob. I created a ticket before 4am this morning and messaged you here, being a reasonable guy I decided to wait till morning for a response.
I am certain if I reboot the node, the IP will be restored. This is the second time it has happened and because of that I have postponed working on the server, avoided rebooting the server to give you a chance to investigate it, yet still nothing seems to be done. The ticket I placed in WHMCS has not been replied to and you could have checked the IP there without requiring me to ask.
If you go to http://46.37.174.60 you will see a page saying Knights Online Ranking going date from April 2012.
I am also certain that it is a hack because that page appears to be at lots of pages on the net
You were the first to reply to this thread seeing as it was your IP there, and I edited it out to save your blushes. Are you paying attention to your business? Is this a business or a part time hobby?
If it is some kind of hobby say so and I won't waste my time further.
I'm working, I will reply when back home.
@Jacob In these days of iPhones, Samsung Notes etc and remote desktops and ssh, shouldn't you be able to check from any place for your own peace of mind and your customers?
@Jake The 199.19.108.86 is an IP in one of the links on the page. The page itself is on the IP address
I'm not acquainted with the workings of SolusVM, but I know that attempting to connect via SSH resulted in a host key error.
This is the result of an earlier trace to the IP - what can be gleaned from it?
1 192.168.1.1 (192.168.1.1) 1.193 ms 1.800 ms 2.418 ms
2 host-2-96-32-1.as13285.net (2.96.32.1) 29.962 ms 32.058 ms 32.890 ms
3 host-78-151-230-9.as13285.net (78.151.230.9) 35.887 ms 36.562 ms 37.379 ms
4 host-78-151-230-20.as13285.net (78.151.230.20) 40.341 ms 78.151.230.0 (78.151.230.0) 40.869 ms host-78-151-230-16.as13285.net (78.151.230.16) 41.470 ms
5 host-78-144-1-40.as13285.net (78.144.1.40) 42.227 ms host-78-144-1-14.as13285.net (78.144.1.14) 63.419 ms host-78-144-1-42.as13285.net (78.144.1.42) 44.486 ms
6 xe-9-1-0-scr001.thn.as13285.net (78.144.0.238) 45.087 ms xe-9-0-0-scr001.log.as13285.net (78.144.0.251) 32.987 ms host-78-144-0-197.as13285.net (78.144.0.197) 32.411 ms
7 highwinds-pp-thn.as13285.net (78.144.3.42) 33.182 ms 34.476 ms 34.858 ms
8 highwinds-pp-thn.as13285.net (78.144.3.42) 35.813 ms 37.522 ms 37.898 ms
9 xe1-01.gwy01.mnuk01.hostnoc.eu (178.238.128.1) 46.309 ms 46.909 ms 47.722 ms
10 xe1-01.gwy01.mnuk01.hostnoc.eu (178.238.128.1) 49.116 ms vl0203.1b0107.mnuk01.hostnoc.eu (178.238.128.10) 50.638 ms xe1-01.gwy01.mnuk01.hostnoc.eu (178.238.128.1) 51.095 ms
11 vl0203.1b0107.mnuk01.hostnoc.eu (178.238.128.10) 52.188 ms 41.131 ms 41.893 ms
12 31.193.6.26 (31.193.6.26) 41.681 ms 42.211 ms 42.694 ms
13 46-37-174-60.static.hostnoc.net (46.37.174.60) 43.403 ms 44.958 ms 45.820 ms
Update: For some minutes the node was restored, website was responding fine.
As of now: WHMCS is down, the IP is down, and all my VPSs on the node are also down.
I give up
I am guessing they're getting attacked again? Probably shouldn't have posted the full IP.
@Victor Why should they be attacked again? Are there some enemies of Jacob monitoring LET for threads concerning him? Why is the control panel still available?
PS. It is restored now
@Jack Same node
If the IP starts working for you after you reboot, then I suspect that the owner of the other container the IP was assigned to, has figured out the same thing.
@joepie91 My understanding of OVZ is that the file system on all nodes is available to the server administrator at all times. Shouldn't a grep of /etc/network/interfaces and the equivalent in the other distributions to see which VMs are conflicting pinpoint the issue? Can't such a script be run across all his host nodes?
Can't conflicting IPs be checked in the SolusVM or Proxmos or whatever database?
I'm not saying that is not a possibility - I'm just saying that most likely nothing was 'hacked'.
Back home, Slight packetloss was occuring(fixed), I couldn't do anything since I was working.
I will go through the tickets now.. And yeah, Posting the IP is not Ideal, After all if your IP does get attacked it will just be nullrouted.
One node is affected, Rest are up. Engineers @ DC are applying the nullroutes.
I didn't read the whole thread, however I had a huge problem like this - solusvm asigning already in use IPs a couple of months ago. If this was what the thread was about - I am sure it was not Jacob's fault.
SolusVM or not the issue should have been dealt with quicker.
This is the second time it happened. The first time it went away after I rebooted.
For the week or so that it has been running, why didn't the owner of the conflicting VM complain? If he was a genuine customer he would or should have informed Jacob about it.
The first time the serial console was not working so I couldn't log into it. This time I could and the VM was fine, put I couldn't ping out. I was able to logon into the console from itself via SSH and there were no host key errors as when I connected from outside.
I left it running to give Jacob a chance to investigate. Is there no way SolusVM can tell which node is using a particular IP address as well as VM? Aren't there scripts to do that?
If it so hard to pinpoint the problem, I rather have a new IP, than be troubled again, and so will the other customer.
PS. I have two other VMs on the same node and they were all fine.
Ok, @rchurch, I removed your IPv6, Rebooted the container, and I see a webpage containing "Moksha in this lifetime or die trying".
That is the correct page
What was there before? Was the IPv6 an issue?
You should have probably submitted a ticket instead.
Probably for the same reason you didn't complain when it happened before - it went away after you rebooted and you thought no more about it.
Having the same IP assigned to two VPSes will cause very unpredictable behaviour - it may work one second and stop working the next.
I have no first-hand experience with SolusVM from a hosting company point of view, but judging from what I know about SolusVM, it probably has no proper functionality for that - as evidenced by the fact it assigned the same IP to two VPSes in the first place.
The problem is not with the IP from what I can see (just judging from the info in this thread, and personal experience). The problem is probably with a bug in SolusVM - an occurrence that is not uncommon for SolusVM in particular.
@joepie91 Read my 4th entry on this topic. The first time he had no chance to investigate it because the IP was restored after I rebooted the VM. I also created a ticket, but there was no evidence then. He could have taken me at my word and inspected all the VMs to see which one was the culprit. I am sure a simple script could scan all the VMs to look for conflicting entries.
This time I did not reboot to give him the chance to locate the culprit VM and he hasn't confirmed whether he has done so or not. If the root cause has not been fixed what is to stop it from happening again?
PS. As SolusVM is database driven shouldn't it be a matter of checking for a duplication of an IP address like select ipaddress, count(ipaddress) from whatever tables are in use? If the IP is set by copying it into /etc/network/interfaces etc,shouldn't a search across all the disk images show it?
How is he supposed to have an idea where to start looking if the situation isn't there for him to investigate anymore? There's a million things that he "could" have checked, and all but one would come back with zero results.
Has he responded to your ticket, and if yes, what was his response?
I have no idea what the database structure for SolusVM looks like, but it's not necessarily that easy.
That doesn't really help if you have a master-slave setup.
There was no duplicate IPs, Just something that bugged up.
Gotta love it when people think LET is hosting companies help desk.
@LegendLink, This was not @rchurch's fault but mostly mine, I should of responded quicker and seen what the problem was the first time this happened.