Am I in danger? #561
Replies: 2 comments
-
Hi @liability4400, I think it's a regular container and IP might have been misdetected, it could be an internal Docker range (if that's possible) or I could have a bug in the app. I think it has something to do with Docker, as this website mentions that the I think if there are no suspicious containers, you should be fine. You could also try turning off containers one-by-one to see if the entry changes. Also, I'm no network specialist (that's partly why I picked up the maintenance of PiAlert as I wanted to learn more and make what's going on on my LAN more visible), so you could also ask/search on other forums or security-related subreddits. Would be great if you could report back - I can write up doc on it later. |
Beta Was this translation helpful? Give feedback.
-
I can confirm that 02:42 are for docker containers and the fe80 ipv6 address is also for linklocal (aka internal) addresses so you should be good. |
Beta Was this translation helpful? Give feedback.
-
Hi,
Sorry if I shouldn't ask this here but I don't really know where else.
I have just installed PiAlert and it confirmed my greatest fear: I will find something suspicious and spend 6 hours trying to figure out if I have been hacked.
I installed it using Docker on a Linux host running Ubuntu (the latest LTS). I also have PiHole running in a container, among many many containers. Upon launching PiAlert for the first time, I noticed this unusual entry with the name
lo0.csr1.lax1.esited.net
. In PiAlert, its IP address is172.80.0.1
, and it apparently changed it tofe80::42:8cff:fe9e:7992
after about 5 minutes. In the Plugins tab, it seems that it was imported from PiHole:Now, the IPv4, IPv6 and MAC addresses all seem to point to the fact that it's a local docker container's address. However, I have done all the checks using wireshark, nmap, ifconfig, docker network inspect and other online tools and there is no trace of these addresses on my system at all (which is the only system running docker in the house). Moreover, I could not find any reference to any of these addresses on PiHole either (checked long-term data as well). The scariest part is the hostname which seems to be a server hosting company in the U.S (eSited Solutions).
Am I compromised? How is it possible that a server from the US shows up in my LAN. And assuming this is simply a misnaming on Pholus scan's part, how come I cannot find any container in the 172.30.0.0/16 subnet? Any help would be greatly appreciated!
Beta Was this translation helpful? Give feedback.
All reactions