XF 2.2 IP (of moderator) differs from real IP

[duderuud]

A moderator on our forum has IP address X but the XF ip lookup tool states IP address Y.

The moderator tried different ip lookup tools and his real IP checks out (also resolved to his provider). The IP Xenforo states is used by him and someone in his house.

All the other reported IP's in Xenforo seem to check out. Using Xenforo btw.

Anyone has any idea how this is possible?

 

[Chris D]

I'm not entirely following but if he has an unrecognised IP address logged then it would be a genuine IP address used to access his account. Where does IP address Y resolve to if you look it up in XF? Could it be a VPN or a proxy or similar?

 

[duderuud]

IP X resolves to the moderator and housemate only.
IP X is the real ip and resolves to their own isp.

IP Y cannot be resolved to an isp (or anything else). Just that it's likely a static ip.
Only users with that IP are the same 2 persons.

The moderator is not too tech savvy but he says he is not using a VPN/proxy tool/addon.
Cannot figure this one out

Edit: maybe it has something to do with the new Apple private relay function? Not sure if the moderator has an iPhone with a paid iCloud account though, will ask him.

 

[Chris D]

Edit: maybe it has something to do with the new Apple private relay function? Not sure if the moderator has an iPhone with a paid iCloud account though, will ask him.

This is what I was leading to.

Unfortunately with the surge in people using VPNs/proxies and the new dawn of completely private relays (mostly Apple for now, but bound to be adopted in some way by Google in the future) essentially makes IP addresses as an identification method completely useless.

For example, due to Apple private relay, you may think I am all of these people:



The IP addresses displayed are all Apple private relay IP addresses that I have shared with these four other users.

 

[duderuud]

The moderator tested with 2 laptops and an iPhone...all the same ip addresses

 

[Chris D]

What is the actual suspect IP address?

 

[duderuud]

See pm

 

[Chris D]

I’ve really no valid explanation. It doesn’t appear to be any known proxy.

We can’t rule out that it was unauthorised access in some fashion.

Can you run this query against your database, replacing x.x.x.x with the suspicious IP address?

SELECT ip.user_id, u.username, content_type, action, INET_NTOA(CONV(HEX(ip), 16, 10)) AS ip_v4
FROM xf_ip AS ip
INNER JOIN xf_user AS u ON (ip.user_id = u.user_id)
WHERE INET_NTOA(CONV(HEX(ip), 16, 10)) = 'x.x.x.x'
GROUP BY user_id

 

[duderuud]

4 users in total. 2 are the moderator (he has a second account, his housemate and a test user once created by the moderator.

 

[Chris D]

From the dodgy IP?

I‘d probably ask them to reset their account passwords and also verify that their email account is secure too. Also ban that IP.

Those logs indicate logins with the actual account password.