XF 1.2 340 Users from same IP address, including myself...

[Joe Link]

One of my moderators found this result while doing an IP address search for multiple accounts.

Any idea what this could be? Resolves to host109-155-118-35.range109-155.btcentralplus.com

 

[TPerry]

One of my moderators found this result while doing an IP address search for multiple accounts.

Any idea what this could be? Resolves to host109-155-118-35.range109-155.btcentralplus.com

View attachment 69616

You use CloudFlare or a similar service... that's a typical symptom of it as all your inbound IP's are from the proxy service if all the users have it.
If it is only some, then it could be a ISP that has limited IP's (small) that serves an area. It is a little unusual. It could, of course, be the same user.

 

[Joe Link]

Hmm, we don't use any sort of CDN or proxy service. The really odd thing is it says I've used it, so I know it's not the same user

 

[TPerry]

What web server are you using... and have you checked the logs (if you have them) of the last time on and see if that IP corresponds?

 

[Paul B]

Which add-ons do you have installed?

 

[Joe Link]

What web server are you using... and have you checked the logs (if you have them) of the last time on and see if that IP corresponds?

Litespeed. I have not checked the logs.

Which add-ons do you have installed?

 

[Hamma]

You aren't running behind a load balancer or anything with multiple servers?

 

[Joe Link]

You aren't running behind a load balancer or anything with multiple servers?

Nope, just one dedicated server.

 

[Joe Link]

Any ideas?

 

[Paul B]

I can only assume it's add-on related, as the other possibilities have been ruled out.

You will need to disble them and do some testing to try and identify which.

 

[RobParker]

No reverse proxy between Litespeed and apache or anything like that?

 

[Joe Link]

I'm not sure what a reverse proxy is.

 

[RobParker]

At one stage we had nginx and apache working together with apache handling the php requests and nginx as a "reverse proxy" handling the the static files.

We saw the same behavior you're seeing with all our users seemingly coming from the same IP address.

I'm not saying it's the reason in your case but something to rule out maybe.

 

[TPerry]

At one stage we had nginx and apache working together with apache handling the php requests and nginx as a "reverse proxy" handling the the static files.

We saw the same behavior you're seeing with all our users seemingly coming from the same IP address.

I'm not saying it's the reason in your case but something to rule out maybe.

That was one of the reasons I asked about CloudFlare or a proxy service of some type. It seems that this is a frequent issue when there is a proxy involved and there is a configuration problem. @Joe Link, check with your hosting provider and make sure that they are not using any reverse proxy service set upon your server.

 

[Alpha1]

do all of these users use Chrome?
Chrome has started to proxy it's users if they have a certain setting turned on.

 

[Joe Link]

I'll check with my host.

I don't believe I've ever used chrome logged into Joe Link.

 

[md_5]

My staff and I have exactly the same issue. Performing (unknown) moderation actions on a user will log our IP address as used by them, addon list:
http://files.md-5.net/s/rZlN.png

EDIT: Gonna tag @Syndol since iirc conversation essentials once had such an issue, maybe one of his other things does, those are in common.

EDIT2: Out of all my addons, UserEssentials is the only one which messes with IP addresses:

UserEss/DataWriter/UserLog.php:                'ip_address'              => array('type' => self::TYPE_STRING, 'default' => '0',
UserEss/DataWriter/UserLog.php:        if ($this->isInsert() && !$this->get('ip_address') && isset($_SERVER['REMOTE_ADDR']))
UserEss/DataWriter/UserLog.php:            $this->set('ip_address', $_SERVER['REMOTE_ADDR']);
UserEss/UserLogHandler/Abstract.php:        $entry['ipAddress'] = ($entry['ip_address'] ? long2ip($entry['ip_address']) : '');
UserEss/Install/Construct.php:                    ip_address INT UNSIGNED NOT NULL DEFAULT 0,

EDIT3: I've linked it to approving stuff from the moderation queue, resources at least. The time + ip of my staff approving the resource matches that of when the user was logged with the staff members IP address.

EDIT4: There are only a few distinct actions in the IP log table: http://files.md-5.net/s/xvkV.png
So either the view IP form is also checking the mod log, or moderation stuff is inserting it into the IP table as the 'insert' action.

@Brogan can you comment on this please?

EDIT5: Cross referenced the tables, and a resource approval is logging an "insert post" action in the xf_ip table, with the user's name, but approvers IP address. Need to check if this is the case for all modlog items.

EDIT6: This is only happening for resource manager stuff.

EDIT7: See http://xenforo.com/community/threads/some-moderation-actions-log-staff-ip-under-user-account.73129/