The online racing simulator
Weird simulaneous connection to all of our LFS servers
1
(30 posts, started )
Weird simulaneous connection to all of our LFS servers
I noticed this on the console (and in the logfiles as well) on all of our LFS servers tonight:

Aug 13 18:17:39 Accept : 78.128.112.22
Aug 13 18:17:39 Received 47 : 78.128.112.22
Aug 13 18:17:39 Unknown protocol : 78.128.112.22
Aug 13 18:17:39 Unknown protocol : 78.128.112.22

All servers have been contacted at the exact same time.
The IP address traces back to Bulgaria, but that doesn't mean too much these days.
Anyone else had this today and if so (or not), is it something I should be worried about?
Nothing special on my servers, as far i can see.

Looks like someone is scanning the servers of something. Or trying to connect from a faulty/cracked masterserver list / LFS.exe . Shrug

Did you receive any other messages from that IP?

Hope the devs can tell you/us more about those messages.
Quote from Bass-Driver :Did you receive any other messages from that IP?

Not since I restarted our VPS yesterday evening, which cleared the logfiles.
I will keep an eye on it and maybe someone else is able to tell me more about this.
#5 - lucaf
On sunday there was at least several Finnish government servers under Dos attack (was in the news). Who knows what was going about. Maybe was some celebration day for ddossers, they just dossed everywhere for fun?
Ooh, you posted their IP.

Evil thoughts intensifies

Jk
I had the same unknown protocol when i had some servers opened. I also think the IP is the same but that started since the test patches and the new version. (Something to do with masterserver?!?)
#8 - Racon
I have some of that in my serverlogs. Same IP too, but not always. I thought it was people with previous incompatible versions of LFS trying to connect.
I can see the same messages, from two IP addresses.

179.60.146.20
78.128.112.22 (as mentioned above)

I don't know what it is or what someone is trying to do. It doesn't seem to be the size of a known packet for initial connection attempts. I don't feel it's much to worry about at this point.
@Scawen
I don't know if the following is related or relevant, but in redacted a popular server (check edit logs to read thanks), the server was able to be crashed and subsequently poached if a user attempts to connect from the same account from two seperate PCs or seperate IPs at the same time.

It happened pre-update and I think its fixed now and doesn't happen, but this unknown IP thing seems to gel really well with this theory.

Happens real quick too, two same usernames connected appear in the chat and then server instantly crashes. Hm.


Hope its not someone trying to nick servers, lol.
1.


apparently from russia :

IP Address: 179.60.146.20
[IP Blacklist Check]
Reverse DNS: 20.146.60.179.in-addr.arpa
Hostname: hostby.startupgo.co.uk
Nameservers:

ns1.startupgo.co.uk >> 78.46.129.60

ns2.startupgo.co.uk >> 78.46.129.60

Lookup IP Address Location For IP: 179.60.146.20
Continent: Europe (EU)
Country: Russian Federation IP Location Find In Russian Federation (RU)
Capital: Moscow
State: Moscow City
City Location: Moscow
Postal: 129344
ISP: MSTN CJSC
Organization: MSTN CJSC
AS Number: AS42237 Icme Limited

something went wrong!


something went wrong!
Time Zone: Europe/Moscow
Local Time: 15:01:15
Timezone GMT offset: 10800
Sunrise / Sunset: 05:06 / 20:00
Extra IP Lookup Finder Info for IP Address: 179.60.146.20
Continent Lat/Lon: 48.69083 / 9.1405
Country Lat/Lon: 60 / 47
City Lat/Lon: (55.7522) / (37.6156)
IP Language: Russian
IP Address Speed: Unknown Internet Speed
IP Currency: Ruble (RUB)
IDD Code: +7


2end one seems be from Bulgaria :


IP Address: 78.128.112.22
[IP Blacklist Check]
Reverse DNS: 22.112.128.78.in-addr.arpa
Hostname: ip-112-22.4vendeta.com
Nameservers:

ns.fibernet.bg >> 195.230.25.175

ns1.fibernet.bg >> 195.230.24.14

Lookup IP Address Location For IP: 78.128.112.22
Continent: Europe (EU)
Country: Bulgaria IP Location Find In Bulgaria (BG)
Capital: Sofia
State: Unknown
City Location: Unknown
ISP: Lir.bg EOOD
Organization: TSTGROUP Engineering Group EOOD
AS Number: Unknown

something went wrong!


something went wrong!
Time Zone: Europe/Sofia
Local Time: 15:03:21
Timezone GMT offset: 10800
Sunrise / Sunset: 06:35 / 20:25
Extra IP Lookup Finder Info for IP Address: 78.128.112.22
Continent Lat/Lon: 48.69083 / 9.1405
Country Lat/Lon: 43 / 25
City Lat/Lon: (42.7) / (23.3333)
IP Language: Bulgarian
IP Address Speed: Unknown Internet Speed
IP Currency: Lev3 (BGN)
IDD Code: +359



EDIT: took the search further towards the first one.which then seems to be originating from germany although its got a uk adress. :

Domain: Ns1.startupgo.co.uk
[ Whois Lookup - Domain Country - Domain To IP]
IP Address: 78.46.129.60
[IP Blacklist Check]
Reverse DNS: 60.129.46.78.in-addr.arpa
Hostname: admin.startupgo.co.uk
Nameservers:

ns2.startupgo.co.uk >> 78.46.129.60

ns1.startupgo.co.uk >> 78.46.129.60

Lookup IP Address Location For IP: Ns1.startupgo.co.uk
Continent: Europe (EU)
Country: Germany IP Location Find In Germany (DE)
Capital: Berlin
State: Unknown
City Location: Unknown
ISP: Hetzner Online GmbH
Organization: Hetzner Online GmbH
AS Number: AS24940 Hetzner Online GmbH

something went wrong!


something went wrong!
Time Zone: Europe/Berlin
Local Time: 14:08:09
Timezone GMT offset: 7200
Sunrise / Sunset: 06:12 / 20:39
Extra IP Lookup Finder Info for IP Address: Ns1.startupgo.co.uk
Continent Lat/Lon: 48.69083 / 9.1405
Country Lat/Lon: 51.5 / 10.5
City Lat/Lon: (51.2993) / (9.491)
IP Language: German
IP Address Speed: Corporate Internet Speed
[ Check Internet Speed]
IP Currency: Euro(€) (EUR)
IDD Code: +49


EDIT2: the bulgarian ip seems to stick with itself. so i suggest it may have come from the first one as this seems more likely than someone using own or same country for trying to "do something". i would think the first ip is what needs our attention as it shifts country.

Domain: Ns.fibernet.bg
[ Whois Lookup - Domain Country - Domain To IP]
IP Address: 195.230.25.175
[IP Blacklist Check]
Reverse DNS: 175.25.230.195.in-addr.arpa
Hostname: ip-25-175.4vendeta.com
Nameservers:

ns1.fibernet.bg >> 195.230.24.14

ns.fibernet.bg >> 195.230.25.175

Lookup IP Address Location For IP: Ns.fibernet.bg
Continent: Europe (EU)
Country: Bulgaria IP Location Find In Bulgaria (BG)
Capital: Sofia
State: Pleven
City Location: Pleven
Postal: 5800
ISP: TEA Ltd.
Organization: TEA Ltd.
AS Number: AS50360 Tamatiya EOOD

something went wrong!


something went wrong!
Time Zone: Europe/Sofia
Local Time: 15:10:59
Timezone GMT offset: 10800
Sunrise / Sunset: 06:29 / 20:21
Extra IP Lookup Finder Info for IP Address: Ns.fibernet.bg
Continent Lat/Lon: 48.69083 / 9.1405
Country Lat/Lon: 43 / 25
City Lat/Lon: (43.4167) / (24.6167)
IP Language: Bulgarian
IP Address Speed: Unknown Internet Speed
IP Currency: Lev3 (BGN)
IDD Code: +359

EDIT3: i post this in the hope some of you tech guys can get more information out of this perhaps than i can. NOTE: ip tracing is legal in my country supported by the police.
Our servers have been 'visited' three times again today:

Aug 18 08:39:34 Accept : 77.72.83.99
Aug 18 08:39:34 Received 47 : 77.72.83.99
Aug 18 08:39:34 Unknown protocol : 77.72.83.99
Aug 18 08:39:34 Unknown protocol : 77.72.83.99

Aug 18 09:28:06 Accept : 77.72.83.99
Aug 18 09:28:06 Received 47 : 77.72.83.99
Aug 18 09:28:06 Unknown protocol : 77.72.83.99
Aug 18 09:28:06 Unknown protocol : 77.72.83.99

Aug 18 11:25:23 Accept : 5.8.18.70
Aug 18 11:25:23 Received 47 : 5.8.18.70
Aug 18 11:25:23 Unknown protocol : 5.8.18.70
Aug 18 11:25:23 Unknown protocol : 5.8.18.70
I just wonder could it be someone with different version lfs who tries to connect?

Edit: When I click on older servers lfs tells (Host has different game code). But I don't know how it would show in logs.
perhaps in the backyard ?

IP Address: 77.72.83.99
[IP Blacklist Check]
Reverse DNS: ** server can't find 99.83.72.77.in-addr.arpa: SERVFAIL
Hostname: 77.72.83.99
Lookup IP Address Location For IP: 77.72.83.99
Continent: Europe (EU)
Country: United Kingdom IP Location Find In United Kingdom (GB)
Capital: London
State: Wolverhampton
City Location: Wolverhampton
Postal: WV3
ISP: NetUP Ltd.
Organization: NetUP Ltd.
AS Number: AS29073 Quasi Networks LTD.

something went wrong!


something went wrong!
Time Zone: Europe/London
Local Time: 15:38:20
Timezone GMT offset: 3600
Sunrise / Sunset: 05:57 / 20:27
Extra IP Lookup Finder Info for IP Address: 77.72.83.99
Continent Lat/Lon: 48.69083 / 9.1405
Country Lat/Lon: 54 / -4.5
City Lat/Lon: (52.5833) / (-2.1333)
IP Language: English, Irish, Ulster Scots, Scottish Gaelic , Scots, Welsh, Cornish
IP Address Speed: Unknown Internet Speed
IP Currency: Pound sterling (GBP)
IDD Code: +44


EDIT:
Blacklist checked it with these results :

IP Address: 77.72.83.99
[ IP Lookup ]
Hostname: 77.72.83.99
IP Location: Wolverhampton Wolverhampton - United Kingdom (GB)
ISP: NetUP Ltd.
Organization: NetUP Ltd.
IP Blacklist Check: Blacklist Status: Not Blacklisted

EDIT2:
aaaand touchdown to Russia , lol.

IP Address: 5.8.18.70
[IP Blacklist Check]
Reverse DNS: ** server can't find 70.18.8.5.in-addr.arpa: SERVFAIL
Hostname: 5.8.18.70
Lookup IP Address Location For IP: 5.8.18.70
Continent: Europe (EU)
Country: Russian Federation IP Location Find In Russian Federation (RU)
Capital: Moscow
State: Saint Petersburg City
City Location: Saint Petersburg
Postal: 190981
ISP: Petersburg Internet Network ltd.
Organization: CloudBS Ltd.
AS Number: AS29073 Quasi Networks LTD.

something went wrong!


something went wrong!
Time Zone: Europe/Moscow
Local Time: 17:42:50
Timezone GMT offset: 10800
Sunrise / Sunset: 05:22 / 20:42
Extra IP Lookup Finder Info for IP Address: 5.8.18.70
Continent Lat/Lon: 48.69083 / 9.1405
Country Lat/Lon: 60 / 47
City Lat/Lon: (59.8944) / (30.2642)
IP Language: Russian
IP Address Speed: Unknown Internet Speed
IP Currency: Ruble (RUB)
IDD Code: +7

Blacklist check:
IP Address: 5.8.18.70
[ IP Lookup ]
Hostname: 5.8.18.70
IP Location: Saint Petersburg Saint Petersburg City - Russian Federation (RU)
ISP: Petersburg Internet Network ltd.
Organization: CloudBS Ltd.
IP Blacklist Check: Blacklist Status: Not Blacklisted
Another 'visit' last night, only on one server this time:

Aug 21 20:36:10 Accept : 193.238.46.22
Aug 21 20:36:10 Received 43 : 193.238.46.22
Aug 21 20:36:10 Unknown protocol : 193.238.46.22
Aug 21 20:36:10 Unknown protocol : 193.238.46.22
it seems like you can start to think russia !

well thats how it seems anyways.

IP Address: 193.238.46.22
[IP Blacklist Check]
Reverse DNS: ** server can't find 22.46.238.193.in-addr.arpa: SERVFAIL
Hostname: 193.238.46.22
Lookup IP Address Location For IP: 193.238.46.22
Continent: Europe (EU)
Country: Russian Federation IP Location Find In Russian Federation (RU)
Capital: Moscow
State: Unknown
City Location: Unknown
ISP: Unknown
Organization: Unknown
AS Number: Unknown

something went wrong!


something went wrong!
Time Zone: Europe/Moscow
Local Time: 04:25:06
Timezone GMT offset: 7200
Sunrise / Sunset: 04:18 / 18:45
Extra IP Lookup Finder Info for IP Address: 193.238.46.22
Continent Lat/Lon: 48.69083 / 9.1405
Country Lat/Lon: 60 / 47
City Lat/Lon: (55.7386) / (37.6068)
IP Language: Russian
IP Address Speed: Unknown Internet Speed
IP Currency: Ruble (RUB)
IDD Code: +7

Blacklist check:
IP Address: 193.238.46.22
[ IP Lookup ]
Hostname: 193.238.46.22
IP Location: - Russian Federation (RU)
ISP: Unknown
Organization: Unknown
IP Blacklist Check: Blacklist Status: Not Blacklisted



its coming from somewhere in this area around Moscow :





perhaps Putin got tired of ambassador vehicles and wants something with a little more kick to it ???


EDIT: reverse DNS that couldnt be found in line 3. :

IP Address: 22.46.238.193
[IP Blacklist Check]
Reverse DNS: ** server can't find 193.238.46.22.in-addr.arpa: SERVFAIL
Hostname: 22.46.238.193
Lookup IP Address Location For IP: 22.46.238.193
Continent: North America (NA)
Country: United States IP Location Find In United States (US)
Capital: Washington
State: Unknown
City Location: Unknown
ISP: DoD Network Information Center
Organization: DoD Network Information Center
AS Number: Unknown

something went wrong!


something went wrong!
Time Zone: America/North_Dakota/Center
Local Time: 03:35:02
Timezone GMT offset: -18000
Sunrise / Sunset: 06:54 / 20:12
Extra IP Lookup Finder Info for IP Address: 22.46.238.193
Continent Lat/Lon: 46.07305 / -100.546
Country Lat/Lon: 38 / -98
City Lat/Lon: (37.751) / (-97.822)
IP Language: English
IP Address Speed: Corporate Internet Speed
[ Check Internet Speed]
IP Currency: United States dollar($) (USD)
IDD Code: +1


did DEVS go political or something ? Big grin

so could perhaps be from USA too. i think its a hub jumper. maybe scouting LFS servers. but for what purpose ? good or damage ?


EDIT2: not sure about it. but i think the north dakota data center is owned by facebook. which is highly likely someone have compromised some accounts there. happens all the time. but as said. im not sure if owned by facebook. but i wakely remember something relating that data center to FB. i could be wrong. but if i am not. it could look as someone is using the facebook server network to get around from central to central. but again. i could be wrong.

or it could be a complete diversion as its a town name apparently and also the actual center of north america. nice one though russia. (they do have a sense of humor dont they Big grin )
https://www.onlyinyourstate.co ... a/center-of-continent-nd/
Attached images
15.jpg
Quote from THE WIZARD DK :maybe scouting LFS servers. but for what purpose

They're coming to take away our resident conspiracy theorists - they must've got close to the truth! Hey, I see a black helicopter outside my offi*transmission interupted*

In all seriousness it's probably like 99.9% of all hacking activity - script kiddies scanning for something they can fiddle with. (And yes, I do see Apaches and/or Chinooks screaming along at treetop level out my window at least one day a week. It's awesome. No Blackhawks though, so far.)
Quote from Racon :They're coming to take away our resident conspiracy theorists - they must've got close to the truth! Hey, I see a black helicopter outside my offi*transmission interupted*

In all seriousness it's probably like 99.9% of all hacking activity - script kiddies scanning for something they can fiddle with. (And yes, I do see Apaches and/or Chinooks screaming along at treetop level out my window at least one day a week. It's awesome. No Blackhawks though, so far.)

lol. SR-71 is retired. they use invisibillity now. Big grin

you need to get updated of these theories Tongue

"did devs REALLY go to E3"

Blackhawk is a helo, SR71 is Blackbird. I think I'd just about explode if I saw a real-life blackbird. Maybe literally if it hadn't warmed up enough to seal the fuel tanks yet, lol Smile
Two new attempts on all of our servers last night:

Aug 24 21:20:59 Received 47 : 5.8.18.70
Aug 24 21:20:59 Unknown protocol : 5.8.18.70
Aug 24 21:20:59 Unknown protocol : 5.8.18.70

Aug 24 22:56:14 Accept : 5.8.18.70
Aug 24 22:56:14 Received 47 : 5.8.18.70
Aug 24 22:56:14 Unknown protocol : 5.8.18.70
Aug 24 22:56:14 Unknown protocol : 5.8.18.70
Yesterday it first happend to my servers same ip.

Onlineracing S3
Aug 24 10:51:35 Received 47 : 5.8.18.70
Aug 24 10:51:35 Unknown protocol : 5.8.18.70
Aug 24 10:51:35 Unknown protocol : 5.8.18.70
Aug 24 12:51:03 Accept : 5.8.18.70
Aug 24 12:51:03 Received 47 : 5.8.18.70
Aug 24 12:51:03 Unknown protocol : 5.8.18.70
Aug 24 12:51:03 Unknown protocol : 5.8.18.70

Blackwood GTi
Aug 24 10:52:05 Accept : 5.8.18.70
Aug 24 10:52:05 Received 47 : 5.8.18.70
Aug 24 10:52:05 Unknown protocol : 5.8.18.70
Aug 24 10:52:05 Unknown protocol : 5.8.18.70
Aug 24 12:51:34 Accept : 5.8.18.70
Aug 24 12:51:34 Received 47 : 5.8.18.70
Aug 24 12:51:34 Unknown protocol : 5.8.18.70
Aug 24 12:51:34 Unknown protocol : 5.8.18.70

Blackwood FBM
Aug 24 13:42:42 Accept : 5.8.18.70
Aug 24 13:42:42 Received 47 : 5.8.18.70
Aug 24 13:42:42 Unknown protocol : 5.8.18.70
Aug 24 13:42:42 Unknown protocol : 5.8.18.70

Rotate GTi
Aug 24 10:59:14 Accept : 5.8.18.70
Aug 24 10:59:14 Received 47 : 5.8.18.70
Aug 24 10:59:14 Unknown protocol : 5.8.18.70
Aug 24 10:59:14 Unknown protocol : 5.8.18.70
Aug 24 12:58:45 Accept : 5.8.18.70
Aug 24 12:58:45 Received 47 : 5.8.18.70
Aug 24 12:58:45 Unknown protocol : 5.8.18.70
Aug 24 12:58:45 Unknown protocol : 5.8.18.70

Rotate TBO
Aug 24 13:36:11 Accept : 5.8.18.70
Aug 24 13:36:11 Received 47 : 5.8.18.70
Aug 24 13:36:11 Unknown protocol : 5.8.18.70
Aug 24 13:36:11 Unknown protocol : 5.8.18.70


Looks like servers stay all okay players don't notice a thing.

But now I also want to know what this is. Tried to connect with different version LFS but that doesn't show up in logs.


Edit: If u just look at the times it looks like someone putting quite a lot time in it Wink
A new attempt at one of our servers:

Aug 26 11:16:48 Accept : 103.89.91.156
Aug 26 11:16:48 Received 47 : 103.89.91.156
Aug 26 11:16:48 Unknown protocol : 103.89.91.156
Aug 26 11:16:48 Unknown protocol : 103.89.91.156

Aug 26 11:36:30 Accept : 103.89.91.156
Aug 26 11:36:30 Received 47 : 103.89.91.156
Aug 26 11:36:30 Unknown protocol : 103.89.91.156
Aug 26 11:36:30 Unknown protocol : 103.89.91.156
Looks like all these ip adresses have history off abuse.
1

Weird simulaneous connection to all of our LFS servers
(30 posts, started )
FGED GREDG RDFGDR GSFDG