Has my OpenVPN connection been hacked?

[innogen]

Has my VPN connection been hacked?

I am using OpenVPN 2.2.1 (Community Edition) to tunnel to the internet.

About 15 minutes after a successful connection with my VPN service provider and surfing the internet, my VPN connection was disrupted. Below is a partial log of what happened:

Code: Select all

Mon Oct 31 02:50:13 2011 Initialization Sequence Completed
Mon Oct 31 02:50:22 2011 Replay-window backtrack occurred [1]
Mon Oct 31 03:04:03 2011 [vpn] Inactivity timeout (--ping-restart), restarting
Mon Oct 31 03:04:03 2011 TCP/UDP: Closing socket
Mon Oct 31 03:04:03 2011 SIGUSR1[soft,ping-restart] received, process restarting
Mon Oct 31 03:04:03 2011 Restart pause, 2 second(s)
Mon Oct 31 03:04:05 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Oct 31 03:04:05 2011 Re-using SSL/TLS context
Mon Oct 31 03:04:05 2011 LZO compression initialized
Mon Oct 31 03:04:05 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Oct 31 03:04:05 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Oct 31 03:04:17 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com : [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:04:17 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Oct 31 03:04:17 2011 Local Options hash (VER=V4): '41690919'
Mon Oct 31 03:04:17 2011 Expected Remote Options hash (VER=V4): '530fdded'
Mon Oct 31 03:04:29 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:04:46 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:05:03 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:05:20 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:05:37 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:05:54 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.

Note: All times mentioned in the log are local times.

I have the following questions:

(1) At about 03:04:03 hours, there was an inactivity timeout. I remember clearly I was actively surfing the internet at that time.

(a) Why did it happen?
(b) Is there a way to prevent such recurrence?

(2) At about 03:04:17 hours, my VPN was not able to resolve host address.

(a) Was it my VPN service provider that disrupted my attempt at a VPN connection?
(b) Or was it the target website that I was surfing to earlier that disrupted my VPN connection in order to discover my real IP address?

Any help would be much appreciated.

[janjust]

when did you record this log? which timezone are you in? are you sure the clock on your PC is set correctly? have you been affected by a shift to wintertime?

are you certain that you're browsing the internet via the VPN?

the 'cannot resolve' means that the hostname can no longer be resolved after the restart - this can occur (on linux) if the /etc/resolv.conf file got corrupted ; what happens if you (now) resolve the hostname manually?

[innogen]

when did you record this log? which timezone are you in? are you sure the clock on your PC is set correctly? have you been affected by a shift to wintertime?

the log is automatically generated by OpenVPN, is it not?

i'm in UTC+8 timezone. and yes, i'm sure that the clock on my PC is set correctly.

when the incident occurred, i was using a gateway that was in UTC+1 timezone. that gateway was provided by my VPN service provider.

the timezone where i'm currently in now, i.e. UTC+8, does not adjust for wintertime.

are you certain that you're browsing the internet via the VPN?

yes, i was and am certain that i was browsing the internet via the VPN at the time the incident occurred.

the 'cannot resolve' means that the hostname can no longer be resolved after the restart - this can occur (on linux) if the /etc/resolv.conf file got corrupted ; what happens if you (now) resolve the hostname manually?

sorry, i don't know much about IT. could you show me how to manually resolve the hostname?

thanks in advance for your help.

[janjust]

depends a bit on your client OS; on Windows, open a command window and type

Code: Select all

nslookup vpn.kkk.abcde.com

On Linux and MacOS, start a terminal and type

Code: Select all

host vpn.kkk.abcde.com

[innogen]

thanks janjust.

below are my questions:

(1) Why did it happen?

(2) Is there a way to prevent such recurrence?

(3) Was it my VPN service provider that disrupted my attempt at a VPN connection?

(4) Or was it the target website that I was surfing to earlier that disrupted my VPN connection in order to discover my real IP address?

[janjust]

it's hard to tell why this happened - you would need to ask your VPN provider if they know of any service disruption.

IF it was a hack attempt then it could be several things: either your local DNS settings were attacked/hacked, or the DNS server you use was attacked, or the VPN provider itself was attacked.

Most likely some DNS provider made an error and this wasn't an attack at all.