mjhjmtu

I have a site hosted on CentOS 7, part of an A2 Hosting environment. Although I can access my site (http://68.66.205.103/) on my phone and an AT&T ISP, I can't access it from a Comcast ISP or my RCN ISP (which uses Comcast's network). Here's my traceroute

localhost:tmp davea$ traceroute 68.66.205.103
traceroute to 68.66.205.103 (68.66.205.103), 64 hops max, 52 byte packets
 1 192.168.1.1 (192.168.1.1) 15.293 ms 6.332 ms 1.234 ms
 2 bdl1.lem-cbr2.chi-lem.il.cable.rcn.net (10.48.40.1) 9.922 ms 17.757 ms 12.261 ms
 3 216.80.78.71 (216.80.78.71) 10.832 ms 10.550 ms 11.397 ms
 4 bdle2.border1.eqnx.il.rcn.net (207.172.15.196) 13.622 ms 23.229 ms
 bdle3.border1.eqnx.il.rcn.net (207.172.15.212) 11.654 ms
 5 * * *
 6 * * *
 7 * * *
 8 * * *
 9 * * *
10 * * *
11 * * *

What's interesting though, is that on my same machine on a Comcast ISP, I can access the site on a TOR Browser, so I don't know if that means the ISP is blocking the remote IP address or there is something else going on. Any advice is appreciated, -

Is really Comcast blocking your IP of their own accord? Well, the answer is....complicated.

It is not exactly a decision of Comcast per se.

The IP address of the server you have now has been reported as being part of a BOTNET.

Many organisations all over the world, and even organisations using firewall vendors (namely recent CheckPoint technology) might be blocking full access or certain types of access as a server to that IP address while the server is in malware blacklists (i.e. clients on that networks won't open it).

Comcast is also (in)famous for intercepting at least HTTP requests with (transparent) proxies.

What we can know for sure Comcast is consuming/using one or more blacklists applied to some technology they use to filter out accesses to certain services. They won't probably be the only organisation doing that.

As an example of statics/reports of your IP address in a backlist see (while it is active) http://vxcube.com/tools/ip/68.66.205.103/threat

and also the malware they report they saw activity from your IP address:

MMD-0052-2016 - Overview of "SkidDDoS" ELF++ IRC Botnet

Also in http://vxcube.com/tools/ip/68.66.205.103/graph , selecting the option to see URLs scanned/accessed by your host:

http://68.66.205.103/bins.sh 
http://80.211.225.35/' 
http://80.211.225.35/apache2
http://80.211.225.35/banana124.sh 
http://80.211.225.35/bash 
http://80.211.225.35/cron 
http://80.211.225.35/ftp 
http://80.211.225.35/ntpd 
http://80.211.225.35/openssh 
http://80.211.225.35/pftp

Also inserting your IP address in Shodan, it alerted me you are exposing to the Internet dangerous services.

You should not have at least rpcbind exposed to the Internet; it should be firewalled.

$ nmap -sT 68.66.205.103

Starting Nmap 7.60 ( https://nmap.org ) at 2018-02-25 18:14 WET
Nmap scan report for 68.66.205.103.static.a2webhosting.com (68.66.205.103)
Host is up (0.14s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind

(Unfortunately, my own ISP prevents me from doing a reliable UDP port scanning operation)

It goes without saying that server should be reinstalled, and the security policy should be reevaluated.

P.S. I changed the question tag for malware.

Running a traceroute won't give you a deterministic answer. To check whether a port is blocked you need to connect to it directly. You can use tcptraceroute or hping to attempt to reach your :.

# tcptraceroute www.google.com 443
Running:
 traceroute -T -O info -p 443 www.google.com 
traceroute to www.google.com (216.58.198.164), 30 hops max, 60 byte packets
...
9 108.170.232.97 (108.170.232.97) 10.305 ms 10.775 ms 108.170.232.99 (108.170.232.99) 10.724 ms
10 lhr25s10-in-f164.1e100.net (216.58.198.164) <syn,ack> 9.316 ms 9.444 ms 11.003 ms

Or using HPING3:

# hping3 -V -S -p 443 www.google.co.uk
using wlp3s0, addr: <ipaddr>, MTU: 1500
HPING www.google.co.uk (wlp3s0 172.217.23.3): S set, 40 headers + 0 data bytes
len=46 ip=172.217.23.3 ttl=57 id=54832 sport=443 flags=SA seq=0 win=42780 rtt=31.8 ms
...

The fact that you can access your service over one other ISP and TOR does make it possible that Comcast is indeed blocking access to port 80. A simple test to validate malware based filtering is changing the port into a non-standard value (like 5580 or 9980) and trying again.