OpenVPN Support Forum

Posted: **Sun Oct 30, 2011 7:38 pm**

Has my VPN connection been hacked?

I am using OpenVPN 2.2.1 (Community Edition) to tunnel to the internet.

About 15 minutes after a successful connection with my VPN service provider and surfing the internet, my VPN connection was disrupted. Below is a partial log of what happened:

Code: Select all

Mon Oct 31 02:50:13 2011 Initialization Sequence Completed
Mon Oct 31 02:50:22 2011 Replay-window backtrack occurred [1]
Mon Oct 31 03:04:03 2011 [vpn] Inactivity timeout (--ping-restart), restarting
Mon Oct 31 03:04:03 2011 TCP/UDP: Closing socket
Mon Oct 31 03:04:03 2011 SIGUSR1[soft,ping-restart] received, process restarting
Mon Oct 31 03:04:03 2011 Restart pause, 2 second(s)
Mon Oct 31 03:04:05 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Oct 31 03:04:05 2011 Re-using SSL/TLS context
Mon Oct 31 03:04:05 2011 LZO compression initialized
Mon Oct 31 03:04:05 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Oct 31 03:04:05 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Oct 31 03:04:17 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com : [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:04:17 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Oct 31 03:04:17 2011 Local Options hash (VER=V4): '41690919'
Mon Oct 31 03:04:17 2011 Expected Remote Options hash (VER=V4): '530fdded'
Mon Oct 31 03:04:29 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:04:46 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:05:03 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:05:20 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:05:37 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.
Mon Oct 31 03:05:54 2011 RESOLVE: Cannot resolve host address: vpn.kkk.abcde.com: [NO_DATA] The requested name is valid but does not have an IP address.

Note: All times mentioned in the log are local times.

I have the following questions:

(1) At about 03:04:03 hours, there was an inactivity timeout. I remember clearly I was actively surfing the internet at that time.

(a) Why did it happen?
(b) Is there a way to prevent such recurrence?

(2) At about 03:04:17 hours, my VPN was not able to resolve host address.

(a) Was it my VPN service provider that disrupted my attempt at a VPN connection?
(b) Or was it the target website that I was surfing to earlier that disrupted my VPN connection in order to discover my real IP address?

Any help would be much appreciated.

Posted: **Sun Oct 30, 2011 9:42 pm**

when did you record this log? which timezone are you in? are you sure the clock on your PC is set correctly? have you been affected by a shift to wintertime?

are you certain that you're browsing the internet via the VPN?

the 'cannot resolve' means that the hostname can no longer be resolved after the restart - this can occur (on linux) if the /etc/resolv.conf file got corrupted ; what happens if you (now) resolve the hostname manually?

Posted: **Mon Oct 31, 2011 12:02 am**

janjust wrote:when did you record this log? which timezone are you in? are you sure the clock on your PC is set correctly? have you been affected by a shift to wintertime?

the log is automatically generated by OpenVPN, is it not?

i'm in UTC+8 timezone. and yes, i'm sure that the clock on my PC is set correctly.

when the incident occurred, i was using a gateway that was in UTC+1 timezone. that gateway was provided by my VPN service provider.

the timezone where i'm currently in now, i.e. UTC+8, does not adjust for wintertime.

janjust wrote:are you certain that you're browsing the internet via the VPN?

yes, i was and am certain that i was browsing the internet via the VPN at the time the incident occurred.

janjust wrote:the 'cannot resolve' means that the hostname can no longer be resolved after the restart - this can occur (on linux) if the /etc/resolv.conf file got corrupted ; what happens if you (now) resolve the hostname manually?

sorry, i don't know much about IT. could you show me how to manually resolve the hostname?

thanks in advance for your help.

Posted: **Mon Oct 31, 2011 9:41 am**

depends a bit on your client OS; on Windows, open a command window and type

Code: Select all

nslookup vpn.kkk.abcde.com

On Linux and MacOS, start a terminal and type

Code: Select all

host vpn.kkk.abcde.com

Posted: **Mon Oct 31, 2011 6:52 pm**

thanks janjust.

below are my questions:

(1) Why did it happen?

(2) Is there a way to prevent such recurrence?

(3) Was it my VPN service provider that disrupted my attempt at a VPN connection?

(4) Or was it the target website that I was surfing to earlier that disrupted my VPN connection in order to discover my real IP address?

Posted: **Mon Oct 31, 2011 10:15 pm**

it's hard to tell why this happened - you would need to ask your VPN provider if they know of any service disruption.

IF it was a hack attempt then it could be several things: either your local DNS settings were attacked/hacked, or the DNS server you use was attacked, or the VPN provider itself was attacked.

Most likely some DNS provider made an error and this wasn't an attack at all.

OpenVPN Support Forum

Has my OpenVPN connection been hacked?

Has my OpenVPN connection been hacked?

Re: Has my OpenVPN connection been hacked?

Re: Has my OpenVPN connection been hacked?

Re: Has my OpenVPN connection been hacked?

Re: Has my OpenVPN connection been hacked?

Re: Has my OpenVPN connection been hacked?