Knowledgebase

Portal Home > Knowledgebase > Articles Database > Help with MAC address identification


Help with MAC address identification




Posted by rowdyplace, 10-28-2013, 09:57 PM
I am having a problem with reseller hosting company I use to host several sites. I have been a customer for almost 2 years. Last week they got hacked, and I have not been able to access my WHM and cPanel (very short version) since then. They are now telling me that the problem is on my end. This may well be true, but the problem started with their hack-attack. Also, I use 5 other resellers hosting services and have no problem with any of them. I have had to move accounts from these guys to the additional resellers. They just sent me the following ticket response wherein they say the MAC address of my machine is identified: (I actually employ 5 machines on a local area network.) Can someone read this for me and tell me the MAC address they refer to? Oct 28 18:00:30 pwrshared kernel: [1129775.108015] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=00:21:9b:90:fd:c9:00:d0:05:4e:44:00:08:00 SRC=50.130.7.212 DST=192.64.87.72 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=24765 DF PROTO=TCP SPT=54664 DPT=2086 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 28 18:00:36 pwrshared kernel: [1129781.105950] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=00:21:9b:90:fd:c9:00:d0:05:4e:44:00:08:00 SRC=50.130.7.212 DST=192.64.87.72 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=24883 DF PROTO=TCP SPT=54664 DPT=2086 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 28 18:00:48 pwrshared kernel: [1129793.074063] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=00:21:9b:90:fd:c9:00:d0:05:4e:44:00:08:00 SRC=50.130.7.212 DST=192.64.87.72 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=25131 DF PROTO=TCP SPT=54665 DPT=2086 WINDOW=8192 RES=0x00 SYN URGP=0 Oct 28 18:00:51 pwrshared kernel: [1129796.074823] Firewall: *TCP_IN Blocked* IN=em1 OUT= MAC=00:21:9b:90:fd:c9:00:d0:05:4e:44:00:08:00 SRC=50.130.7.212 DST=192.64.87.72 LEN=52 TOS=0x00 PREC=0x00 TTL=112 ID=25209 DF PROTO=TCP SPT=54665 DPT=2086 WINDOW=8192 RES=0x00 SYN URGP=0
Posted by whmxtra, 10-28-2013, 11:46 PM
MAC=00:21:9b:90:fd:c9:00:d0:05:4e:44:00:08:00 that would be the MAC part, but the message also indicates it's their firewall blocking your access, so the problem is on their end, question is why did it block you and why haven't they unblocked you lol. Usually cases like this are caused by failed ftp or cpanel logins if someone gets their pass wrong 3 times.
Posted by rowdyplace, 10-29-2013, 12:04 AM
I really don't know. I fear that they are "thin" on knowledge. This has been going back and forth for several days... But, it is slightly over my head. I'm stupid for not just dumping them and going on. The MAC address confuses me. I know what it is. I read wiki... You can see yours using ipconfig/all. While I use 5 different systems on a home LAN, the main one is: 00-12-3F-B3-B7-54. That is the format I'm used to. Not sure what that number they stated is representing...it has too many parts. I use Teamviewer to access a few other systems of my customers. I get the same results when I remote in using their machine to attempt to get to my WHM. For grins and giggles, will you try to connect: http://auredhead.com (empty account) http://auredhead.com:2083 cpanel (maybe :2082) http://auredhead.com:2086 WHM (maybe 2087) I would to hear about your results. I will PM you the hosting company's name if interested, along with all the ticket history. Last edited by rowdyplace; 10-29-2013 at 12:08 AM.
Posted by whmxtra, 10-29-2013, 12:23 AM
Wouldn't worry about the MAC, the IP address is in there too, that's more useful for checking things. As for your site: http://auredhead.com (empty account) <---- This one loads fine http://auredhead.com:2083 cpanel (maybe :2082) <---- 2082 loads but 2083 gives an error (which is dumb, secure ports should always be the way to go) http://auredhead.com:2086 WHM (maybe 2087) <---- timed out. Now having said that I just tried to load them all again and now I can't reach the server either. Which means after 2 legit connections with no failed login attempts their firewall has blocked me. So it's most certainly an issue with their firewall config being to strict or misconfigured. I mean there's no reason to block legit access for simply having 2 connections at the same time. And as your host they should easily be able to remove the block. Now if they got hacked through your site I can see blocking access to it on a temp basis while they fix it, but then the first priority should have been to tell you how they got hacked via your site so you can get rid of or change what caused the problem. But I'm guessing this is a low end company that doesn't really want to do any work. Maybe even a sub reseller? Could be they don't have access to unblock you but still doesn't change the fact the firewall is blocking for all the wrong reasons lol.
Posted by rowdyplace, 10-29-2013, 12:31 AM
Thank you sooooo very much. I can sleep better now!! They did not get their problem from me. I got an email from them announcing their problem. Before that, I probably had not accessed cpanel nor WHM in weeks. You are experiencing the exact same login results I am. I agree with your assessment of these folks. Tomorrow, I will just move on... There are too many opportunities out there. Again, THANKS!! mikeeeeeeeeeeeeeee
Posted by rowdyplace, 10-29-2013, 08:38 PM
whmxtra - Thanks again. Your input allowed me to push back the other way. Today they "fixed" the problem by telling me to use http://www.whm.auredhead.com. Not sure this is a fix, more like a patch... Your assistance is greatly appreciated!!


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Crucial Paradigm Issues (Views: 622)
GlobalServers (Views: 620)
nginx proxy shield and limting traffic via iptables (Views: 599)
backup option in whm panel (Views: 646)
Looking for a reseller account that offers invoicing (Views: 564)