User's IP Address appears as Admin IP Address

XFuser

Active member
This bug is quite disconcerting and serious.

We received a report about a suspicious account on our site, and when we clicked the "Shared IPs" link in that user's profile page, it showed our Admin account! Needless to say, that's not our account or IP Address.

We looked at the IP of this user that is appearing also as ours and it's in another country.

When we look at our account in the Admin panel, it displays this erroneous IP address under the "IP Addresses" tab of our account.

How in the world could such an egregious mix-up with something as specific as the IP Address happen and affect our Admin account?

Our installed Add-ons are:
  1. Alter Ego Detector 1.5.6
  2. Avatar Identicon by Iversia 1.2.2
  3. User Agent 2.1
  4. XenCentral Framework 1.3.5.2
  5. XenCentral Invite System 1.4.4

Please advise urgently as this bug is now making us question the IP addresses appearing for our users.

Thank you.
 
This is almost certainly down to content being created in the name of your user while the request from another user is happening. This would be down to an add-on that isn't disabling IP logging in this case (leading to a false positive).
 
This is almost certainly down to content being created in the name of your user while the request from another user is happening. This would be down to an add-on that isn't disabling IP logging in this case (leading to a false positive).
How can we determine which Add-on is doing that? We only have 5 Add-ons installed, the ones we mentioned above.

We need to fix this urgently so that we can trust the IP Addresses showing for our users.
 
Do any of those add-ons create posts, conversations, etc? If so, they would be the ones to look at. Unfortunately, it's not possible to be 100% definitive without disabling add-ons and seeing if it stops happening (and that means over time; it won't resolve it for existing instances).
 
This is almost certainly down to content being created in the name of your user while the request from another user is happening. This would be down to an add-on that isn't disabling IP logging in this case (leading to a false positive).
Alter Ego Detector 1.5.6 does set options to disable IP tracking for the threads it creates (the option to create conversation was bugged, fixing that now). And threads created by reports also have it IP tracking disabled.

Without more information I can't troubleshoot this as my AED add-on being at-fault.
 
Last edited:
It may help to find the records in xf_ip that relate the admin user to the IP and then try to back track to what would have created that.

I did see the conversation message bug in AE's code as it was reported (threads looked ok). I don't think there's anything in the core that would trigger it (on the basis that we haven't had any other reports of this and there isn't much new that inserts content on behalf of others).
 
  • Like
Reactions: Xon
It may help to find the records in xf_ip that relate the admin user to the IP and then try to back track to what would have created that.
Yes, this would a very important step to figure out how the IP is being matched (the shared IP tool simply doesn't show what content the IP matched on)

For example if it is the initial user signup or login record and a standard thread/post (not one automatically created), it might actually be a legit case of the admin account has been compromised.

I did see the conversation message bug in AE's code as it was reported (threads looked ok). I don't think there's anything in the core that would trigger it (on the basis that we haven't had any other reports of this and there isn't much new that inserts content on behalf of others).
I've only had a few reports back when threads incorrectly logged the IP ages ago. And no one has reported the conversation IP bits till I looked at it today.

And I heavily use this add-on on my own sites, so I'm highly doubtful it is just my add-on at fault.
 
It may help to find the records in xf_ip that relate the admin user to the IP and then try to back track to what would have created that.
How can we do that?

The xf_ip table isn't storing IP Addresses in their original format.

Please advise what we need to do to get to the bottom of this urgent and serious bug.

Thank you.
 
You can try this query:
Code:
SELECT content_type, content_id, FROM_UNIXTIME(log_date) AS log_date FROM xf_ip WHERE ip = UNHEX(HEX(INET_ATON('127.0.0.1'))) AND user_id = 1;

Change the IP to be the unexpected one and the user_id to be the admin user.
 
You can try this query:
Code:
SELECT content_type, content_id, FROM_UNIXTIME(log_date) AS log_date FROM xf_ip WHERE ip = UNHEX(HEX(INET_ATON('127.0.0.1'))) AND user_id = 1;

Change the IP to be the unexpected one and the user_id to be the admin user.
We just ran that query and only one result came up, it is of content_type "post" with a content_id that is presumably linked to a post_id. We checked that post_id in "xf_post" and the result is a post auto-generated by the Alter Ego Detector Add-on to inform us of a user with multiple accounts. That user's IP address was the one showing up as our Admin IP address.

Does this confirm the bug is indeed in the Alter Ego Detector Add-on?

How can it be fixed?
 
If the listed post was generated by AE, it would be something that has to be resolved there (with @Xon). However, I would say that you should do standard troubleshooting: try to reproduce it. You can see if an IP is logged with a post by clicking the IP link on the post and looking at the "content IP" value. If you can't reproduce it on a new thread, then maybe this was a bug in an older version.
 
  • Like
Reactions: Xon
If the listed post was generated by AE, it would be something that has to be resolved there (with @Xon).
OK, we will let @Xon know so they can fix it urgently.

However, I would say that you should do standard troubleshooting: try to reproduce it. You can see if an IP is logged with a post by clicking the IP link on the post and looking at the "content IP" value.
The author of the auto-generated post in question is our Admin account (as is the default setting in AE), but the Content IP is the IP of the user being auto-reported by AE. That seems to be where the bug is.

If you can't reproduce it on a new thread, then maybe this was a bug in an older version.
We have the version before the update made by @Xon in the last 24 hours. However, that new update only fixed a bug they discovered with the reports sent to Conversations after we brought this issue to their attention. But we don't use that feature. Our reports create a new thread.
 
That's wired.
We use the same setup with it.

Create a new Thread.
An Admin account generate this Thread.
But if i hit the ip button i got only there is no IP Information for this content.

I just check randomly some of the messages.

So from my point it don't look like an error from AE.
 
@XFuser - I have the latest version (before the update 24 hours ago) and it doesn't log IPs for the threads it creates to report AEs:

upload_2016-7-27_14-15-50.webp


However, it used to log them in an older version:

upload_2016-7-27_14-16-47.webp


Please try this: completely uninstall the Alter Ego Detector add-on, remove ALL the files from your server, and reinstall and configure using the very latest version. (Note - REMOVE all the related add-on files from your server - this is important as there may be some older versions still present).

If, after doing that, you are still having problems, them you may need to look further at your add-ons list to see if there are any other incompatibilities - shouting at @Xon isn't helping, especially as you haven't followed his (or Mike's) advice to do a bit more investigation, and even more so seeing as others are not experiencing the same problem (which you'd expect if there was a serious bug!!!).

Kind regards,
Shaun
 
@Shaun:

To be clear, no IP address is being shown in the posts Alter Ego creates in the format "UserA & UserB are alter egos!" (e.g. there is no "IP" link in those posts).

The IP address is being shown in the posts created in the format "Reported Content: UserA & UserB are alter egos!" (e.g. there is an "IP" link in those posts).

The latter threads are being created because we do not use the Report Center and instead have reports create new threads, so when Alter Ego creates a new "Reported Content" thread, that's where the problem is.

So let's make sure we are talking about the same type of threads before we are asked to disable all our other add-ons or uninstall and re-install add-ons.

Let's also appreciate the severity of this bug, our Admin account is showing an IP Address in our account that we have never used.
 
Can you reproduce that behavior consistently? (As in, trigger it right now?)

The core reporting code doesn't log IPs in posts created by it. The Alter Ego code presumably just interacts with our reporting API, so it wouldn't have any effect on that.

Try reporting content directly as well and seeing if you have an IP logged on the post. (I just tested it locally; there wasn't.)
 
The latter threads are being created because we do not use the Report Center and instead have reports create new threads, so when Alter Ego creates a new "Reported Content" thread, that's where the problem is.
We do not use the report centre either, and also have the add-on create new threads in one of our moderator forums. It doesn't associate an IP with them (as shown above), which seems to be the case for other people who use the add-on too. So there does appear to be something unique about your set-up that is causing you this particular problem.

What's interesting in your reply is that the title in the first line would be the style of title I would associate with the automatically generated threads from the AED add-on - that is to say, the add-on is working as-expected if you're not seeing an IP address associated them. Ergo, the add-on does not have a serious bug. It is working properly.

In the second line, however - Reported Content - is a prefix I would normally associate with manually reported content from members and staff where you would expect to see an IP address.

Are you sure your moderators or staff aren't reporting the auto-created AED threads to bring them to everyone's attention?

Do you end up with
two similarly titled threads for AE detections?

I appreciate your concern, and would be willing to have a look at your set-up try and establish what's going on (if I can). If you'd like to take-up the offer, please PM me.

Cheers,
Shaun
 
Last edited:
  • Like
Reactions: Xon
Oh, I've just remembered (with the mention of duplicate reporting), one another thing that caused problems in the past was having BOTH of 'Create thread?' and 'Start report' ticked in AED options.

If you have got both ticked, please untick 'Start report' and save and let us know if that resolves it?

upload_2016-7-27_15-25-14.webp
 
Last edited:
  • Like
Reactions: Xon
Top Bottom