I am running a cloud server on Vultr.com. Recently, I logged into Vultr.com in my web cloud instances web interface and checked my firewall. I noticed that port 53/udp had been opened in the vultr firewall and the allowed IP was 206.217.205.100/32. This is not an IP I recognize, and as far as I can remember, I didn't open up this port myself in my vultr firewall from the cloud instance's web interface. Below are the results from an nslookup on my computer for this IP.
$ nslookup 206.217.205.100
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
100.205.217.206.in-addr.arpa name = noptr.midphase.com.
Authoritative answers can be found from:
I logged into my vultr cloud instance, and UFW firewall in my cloud instance had not opened up this port. So it looks like whoever touched my vultr interface, still couldn't get access to my cloud instance. Hoever this is a bit concerning, and I would like to if I was hacked, and as much information as possible about noptr.midphase.com, and its corresponding IP address 100.205.217.206. The only possible thing I can think of, is that when I was using a VPN while logged into Vultr.com's web interface, I opened port 53 in my Vultr.com firewall and chose the "My IP Address" option under the source IP, then Vultr detected my VPN's IP address as the source address, instead of my actual home IP address, and added it to the source IP of the firewall. I don't think this is actually the case, but it is a possibility. If this isn't the case, then, do you have answers and possible ways to check my server for intrusions, and get more information on the intruders IP address as well as the domain noptr.midphase.com? Please let me know anything I can do to research this intrusion and damage control. Thanks.
