unique ip for all users!

unique ip for all users!

by usy use -
Number of replies: 3

today one of students complained that his answers are changed during the quiz. I searched his quiz logs and found that two IP addresses are recorded. one of the Ips was "2.146.0.4" .

I searched my users for their IP addresses to find the studendt with the assossiated IP address. I was shocked when I saw that more than 20 students' Last IP address was "2.146.0.4" !

How is it possible? does it show that it is a kind of virus or invader or sth?

please someone

Average of ratings: -
In reply to usy use

Re: unique ip for all users!

by Ken Task -
Picture of Particularly helpful Moodlers

IP 2.146.0.4 has no reverse:
dig -x 2.146.0.4

QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; AUTHORITY SECTION:
2.in-addr.arpa.        899    IN    SOA    pri.authdns.ripe.net

pri.authdns.ripe.net shows to be a 'private'
 
A whois on that IP shows:

inetnum:        2.146.0.0 - 2.146.63.255
netname:        IRANCELL-NET
descr:          Iran Cell Service and Communication Company
country:        IR

Do a trace route from your server:
traceroute 2.146.0.4

When you query the DB use this:

select id,auth,username,firstname,lastname,email,lastip,lastaccess,lastlogin from mdl_user;

The lastaccess and lastlogin are epoch time stamps.

Look for the time stamps around the time of the quiz.

https://www.epochconverter.com/

'SoS', Ken

Average of ratings: Useful (1)
In reply to usy use

Re: unique ip for all users!

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
Hi

I assume that IRANCELL-NET is a mobile internet provider. Then many users coming from the same IP address has a legitimate explanation. Unlike most of the home DSL routers, mobile devices are not assigned public IP addresses like the 2.146.0.4 even temporarily. They only get private IP addresses which enters the Internet through the routers belonging to the service provider visible under their respective IP addresses. Still the requests coming from such devices receive replies though a mechanism called Network Address Translation (NAT). So it is common for many subscribers from the same mobile carrier to share a public IP address.

That doesn't eliminate the possibility that a second student knew the password of the first student and "resubmitted" the exam for him. Or, found his mobile in which the Moodle App was installed and configured for your site, and again resubmitted the exam for him. Such possibilities are hard to trace, you have to track the web server logs comparing device identifications (not merely IP addresses).
Average of ratings: Useful (2)
In reply to usy use

Re: unique ip for all users!

by Visvanath Ratnaweera -
Picture of Particularly helpful Moodlers Picture of Translators
By chance I noticed that your situation is much more complicated:
- students navigating the quiz through browser "back" and "forward" buttons (user error)
- answers not saved (user error or theme error)
- server overloaded (user error - impatient students or server not powerful enough)
- indeed students "sharing" accounts
Source: https://moodle.org/mod/forum/discuss.php?d=414712.

That is something for a forensic expert!
smile
Average of ratings: Useful (1)