More than three domains hosted on the same IP address
This is not a sign of a problem for your server. There's an important detail here, which is:
220.127.116.11 is not your server. That IP belongs to cloudflare.
Cloudflare provides a large number of services to websites and sits in between the public internet and a server. Someone who uses Cloudflare doesn't point their DNS to their own server - they point their DNS to Cloudflare, and then point Cloudflare to their server. As a result, millions of websites point to Cloudflare's IP addresses. Because they service more websites than they have IP addresses, they often direct multiple websites to the same IP address.
Apparently you use Cloudflare, and so the DNS for your domain points to them, not to your own IP address. When your Cloudflare account was setup, you (or whoever set it up) would have pointed Cloudflare to the actual IP address of your server. You can confirm this in two ways:
- Here is the list of IP addresses owned by Cloudflare. If you are unfamiliar with CIDR notation, the line which says
18.104.22.168/12is of interest to you, as it includes all IPs from
22.214.171.124is owned by Cloudflare, not AWS.
- If you check your Elastic IP in AWS, you'll see that it is something other than
126.96.36.199. Only Cloudflare knows the actual IP of your server - this is one of the advantages it provides, and one of the reasons why people use it. Cloudflare sits in the middle so that the person requesting to view your website never communicates directly with your server. In this way, Cloudflare is able to protect your server from a wide variety of attacks.
The above details should make it clear that this is not evidence that you have been compromised. However, here are some more related details for future reference:
- Shared hosting sites will have multiple domains served from one IP address. However, to the best of my knowledge, AWS does not offer such services. If you sign up for a VPS directly from AWS, you should expect to be the only one hosting any services on the given IP address
- Therefore, if you discovered that the DNS for other domains was pointing to the IP address of your VPS on AWS, and confirmed that the sites in question are actually being hosted on that IP address, then yes this would be a sign that your site had been hacked.
188.8.131.52is not the IP address of your server :)
This is perfectly normal. There is a big shortage of IPv4 addresses. In fact, we should have run out of them a long time ago. But since so much infrastructure is based on IPv4, it keeps getting "extended" in many ways. One of them, which has actually been around for a very long time, is to host multiple domains on a single server with a single IP address.
A typical inexpensive shared hosting account will share a server, and an IP address, with dozens, even hundreds of other small hosting accounts. A VPS (virtual private server) or similar account might be one of a handful on a server, though each VPS may in turn host many domains.
AWS is a little different in that you pay for fairly clearly defined amounts of hardware (CPU cores, RAM, etc.), but except for the largest instances you are still using only a fraction of an actual machine.
It is often possible to get a truly unique IPv4 address. With AWS, this is Elastic IP. Other hosting companies may have other names for it. For example, my favorite host used to offer separate IP addresses for a small fee to use with SSL certificates. There is no problem these days getting SSL certificates with a shared IPv4 address, so I use the shared IPv4 address and don't worry about it.
In the case of AWS, the big advantage of an Elastic IP is not, IMHO, that you have the IP address to yourself. Rather, it is that the IP address is constant even when you restart an instance or if you move your domain to a different (e.g., larger) instance. That can save some hassle with DNS changes.
Looks like you just found out how a Load Balancer inside a CDN with SNI works
You can also check others hosts (SANs) behind this particular CDN with OpenSSL, like so:
echo | openssl s_client -showcerts -servername arturofm.com -connect arturofm.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
...or you can use your browser's certificate viewer: