Help needed to verify real server location (Iran?)

gbzret4d

Hi,
as far as I can the server is located in the Netherlands and not in Iran. Any proofs to verify the real location? Any things I could try, since I have access through ssh to the vps. Here's the ip: 193.142.30.26

mans_xd

I'm calling you from microsoft security department we have detected a virus in your computer please send me 1000$ and wait for otp

mans_xd

ip routed to germany btw not netherlands and iran too

forest

For future reference, if just checking the peering isn't enough:

https://blog.globalping.io/we-have-ipinfo-at-home-or-how-to-geolocate-ips-in-your-cli-using-latency/
https://github.com/jimaek/geolocation-tool

gbzret4d

@forest said:
For future reference, if just checking the peering isn't enough:

https://blog.globalping.io/we-have-ipinfo-at-home-or-how-to-geolocate-ips-in-your-cli-using-latency/
https://github.com/jimaek/geolocation-tool

Thanks. It's running a globalping probe and I'm in contact with @jimaek already.

gbzret4d

@mans_xd said:
I'm calling you from microsoft security department we have detected a virus in your computer please send me 1000$ and wait for otp

IMPERSONATOR!

Kodomu

Checking with mtr, there's enough latency where it would make sense for it to be in iran, there's a 100ms jump after it leaves germany and then another 100ms jump after that. Not sure where mao-ic is, as it's not on the list of twelve99 POPs and appears to be a customer ID, but the latency implies it's at least as far as turkey from frankfurt, and the next 100ms to the end IP would be about in line with what I'd expect to iran.

mans_xd

@Kodomu said:
Checking with mtr, there's enough latency where it would make sense for it to be in iran, there's a 100ms jump after it leaves germany and then another 100ms jump after that. Not sure where mao-ic is, as it's not on the list of twelve99 POPs and appears to be a customer ID, but the latency implies it's at least as far as turkey from frankfurt, and the next 100ms to the end IP would be about in line with what I'd expect to iran.

jump and jump

beanman109

@mans_xd said:

show previous quotes

@Kodomu said:
Checking with mtr, there's enough latency where it would make sense for it to be in iran, there's a 100ms jump after it leaves germany and then another 100ms jump after that. Not sure where mao-ic is, as it's not on the list of twelve99 POPs and appears to be a customer ID, but the latency implies it's at least as far as turkey from frankfurt, and the next 100ms to the end IP would be about in line with what I'd expect to iran.

jump and jump

tempask

@Kodomu said:
Checking with mtr, there's enough latency where it would make sense for it to be in iran, there's a 100ms jump after it leaves germany and then another 100ms jump after that. Not sure where mao-ic is, as it's not on the list of twelve99 POPs and appears to be a customer ID, but the latency implies it's at least as far as turkey from frankfurt, and the next 100ms to the end IP would be about in line with what I'd expect to iran.

seem be smart way, learn something in this, thanks. I goto https://tool.lu/ip/ check, show Iran or russia. other possible, out ip diff in ip, maybe out ip more real , in this vps run

curl ip.sb

check out ip. if same addr my guess wrong

DataRecovery

@gbzret4d said:
the server is located in the Netherlands

Ping from Hetzner (DE):

ping -c 3 193.142.30.26
PING 193.142.30.26 (193.142.30.26) 56(84) bytes of data.
64 bytes from 193.142.30.26: icmp_seq=1 ttl=55 time=218 ms
64 bytes from 193.142.30.26: icmp_seq=2 ttl=55 time=218 ms
64 bytes from 193.142.30.26: icmp_seq=3 ttl=55 time=219 ms

--- 193.142.30.26 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 218.723/218.853/219.051/0.407 ms

NL is usually about 20 times less.

Tracepath shows ~100 and ~200 ms hops.

hyperblast

my investigation has determined that the server is located in a basement in natas and that the data for the war against god is also managed from there.

xvps

Thank you for letting us know that globalping.io uses fake probe locations.

(Internet access in Iran is currently blocked, so you can’t ping any local IP addresses from outside Iran or from your probe, but your probe can ping anything outside Iran.)

193.142.30.26 = globalping.io Iran probe.

forest

@xvps said:
Thank you for letting us know that globalping.io uses fake probe locations.

(Internet access in Iran is currently blocked, so you can’t ping any local IP addresses from outside Iran or from your probe.)

A number of them are incorrect, but they only get the location data from the geofeeds anyway. I have two probes that are both marked as South Africa, but they're actually in Romania. I've submitted a correction report, but until then, I've brought them offline. Globalping relies on the fact that the majority of probes are accurate.

oloke

I think @zGato and @sh97 may have some clues on this one, we already looked at it a couple days ago.
From what I remember the conclusion was that this is quite fishy and probably not real location.

jimaek

We do our best to verify all probe locations but it's a non trivial issue.
Current logic is here https://github.com/jsdelivr/globalping/blob/master/docs/geoip.md but we're trying to improve it.

But the vast majority should be correct, enough to not create any problems in day to day testing.

Such locations like Iran are really an exception.

And I'm pretty sure it would be blocked once our new VPN detection logic goes live https://github.com/jsdelivr/globalping/issues/766

xvps

You could have mentioned this thread:
https://lowendtalk.com/discussion/205092/is-this-server-really-located-in-iran

gbzret4d

@xvps said:
Thank you for letting us know that globalping.io uses fake probe locations.

(Internet access in Iran is currently blocked, so you can’t ping any local IP addresses from outside Iran or from your probe, but your probe can ping anything outside Iran.)

193.142.30.26 = globalping.io Iran probe.

That's why I'm asking to get any proofs so globalping and others can update their logics/algorithm to detect such possible wrong probes. You are free to report any wrong ip data to the ip geo databases at ipinfo, ....
The guys at globalping are really working hard to detect and remove such probes. I'm only letting this probe up so, far, so users can try to find a way to find any proof what the real location is.

gbzret4d

@oloke said:
I think @zGato and @sh97 may have some clues on this one, we already looked at it a couple days ago.
From what I remember the conclusion was that this is quite fishy and probably not real location.

I'm pretty sure it's not the real location, only trying to find a way to determine such probes and ip data.

xvps

@gbzret4d said:
..., since I have access through ssh to the vps. Here's the ip: 193.142.30.26

@gbzret4d said:
I'm only letting this probe up so, far, so users can try to find a way to find any proof what the real location is.

Perhaps you should explain who you are, your relationship to AS59580 and globalping, and the real purpose of these requests.

More related links:
https://www.webhostingtalk.com/showthread.php?t=1517424
https://www.webhostingtalk.com/showthread.php?t=1778688

vailiernits

It is a real Iran location, Batterflyai Media aka ip-transit.ir is an old bulletproof host and they tunnel through different locations since forever, to obfuscate where exactly in Iran its located.
No local peering though, so it may not be very useful as a probe for testing Iran connectivity.

They were previously raided in countries like Lebanon, so I guess they take higher precautions.

hostal

 4. AS1299   nug-b2-link.ip.twelve99.net (62.115.183.232)                                                                                                                                          0.5%   222    0.6   0.5   0.4   0.8   0.1
 5. AS1299   ffm-bb1-link.ip.twelve99.net (62.115.140.202)                                                                                                                                         0.0%   222    4.0   4.0   3.8   4.7   0.1
 6. AS1299   ffm-b14-link.ip.twelve99.net (62.115.132.209)                                                                                                                                         0.0%   222    6.3   7.1   4.7  37.9   2.9
 7. AS1299   mao-ic-388296.ip.twelve99-cust.net (62.115.193.15)                                                                                                                                    0.0%   222  103.4 103.5 103.0 104.2   0.3
 8. AS59580  193.142.30.26 (193.142.30.26)                                                                                                                                                         0.0%   222  203.3 203.4 202.8 204.1   0.3

Last hop in trace before hitting the IP looks to be Madrid - Arelion

mao-ic-388296.ip.twelve99-cust.net
mao = Madrid
ic = interconnect
twelve99-cust.net = customer-facing interface
This is the handoff from Arelion to a downstream customer or peer in Madrid.

From there, it can be tunneled anywhere (based on the added latency), but I doubt it is in Netherlands.

gbzret4d

@xvps said:

show previous quotes

@gbzret4d said:
..., since I have access through ssh to the vps. Here's the ip: 193.142.30.26

@gbzret4d said:
I'm only letting this probe up so, far, so users can try to find a way to find any proof what the real location is.

Perhaps you should explain who you are, your relationship to AS59580 and globalping, and the real purpose of these requests.

More related links:
https://www.webhostingtalk.com/showthread.php?t=1517424
https://www.webhostingtalk.com/showthread.php?t=1778688

Hi, I'm Peter. I'm helping globalping to get sponsors or companies/isp/ix,... to run probes or give away small servers so globalping can run probes on their own. Right now I'm running about 200 probes (150 under my id/adoption token). The mentioned AS is sponsoring many probes, that's all - no contracts only a banner at globalpings website.