Jump to content

Hornsj2

Members
  • Content Count

    26
  • Joined

  • Last visited

About Hornsj2

  • Rank
    New Member
  1. I've spent the last 14 hours or so analyzing my network and doing research on this topic. It turns out firefox makes 2 connections when it starts up. One of them is to akamai technologies. The request is over https, and looking at shodan output for that website it lists the following certificate information: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt So that would explain why it's doing what it's doing. I used wireshark and burp to look at the request/responses for OCSP and also to monitor the traffic going to this IP address and it all looks to me like it's legit. All of that being said, since I put the logs up would it be possible to still get a fixlist? I did run power eraser a couple days ago and it found a bad registry entry for internet explorer, which I don't use, that allowed downloading files from internet zone (zone 3?). not overly familiar with that but I'm pretty sure I've run power eraser since I installed my OS a few months ago and that was not present. Would be willing to donate.
  2. First one is of one of my VMs. I also had that IP connection over port 80 on my windows host that runs firefox with the same extensions (and has MB3 on it). Second one is the Burp Suite request to the address. This is the address listed in the certificate. Problems are. 1. This doesn't happen on my other computer (but it does happen on every virtual machine I run on THIS host, regardless of the OS). 2. On my home page, even when set to a local file, it sends out this request. 3. A connection over http is made and maintained with this IP. I haven't read the OCSP protocol spec so maybe that's normal.
  3. OK I have decided to seek help to determine if my computer is infected. Attached are the logs. Since the last time I was here 4 months ago I have done a nuke and pave on my system so everything should have been installed within the last few months. You will notice a c:\hackAgain folder. I created this folder myself to store research into this ip connection issue I have put on the other section of the forums (about firefox connecting to ocsp.digicert.com). I must say I see no evidence of malware on my system but given what people are writing (even as up to date as 2 hours at the time I write this) about that ip address and what it's doing to people, and that I have had a connection established to it for god knows how long, I want to make sure. I have some tools downloaded here like Kali, GHIDRA, Burp etc because I'm starting to get really interested in security and bug bounty since my last potential hack incident.
  4. You can go ahead and close this. I don't think this is a MB problem and although I'm going to do more analysis of my network, I can't say right now I think I'm infected with anything.
  5. I apologize for putting this in the wrong section of the forums.
  6. Sorry for cross posting this with the other forum section but I think I put it in the wrong place and I didn't now how to move it, or if that is possible. Should MB take another look at this IP address? I run MB3 on my host and on that host + every vm I run off that host (flavors of linux) firefox tries to connect to that site. HOWEVER, my laptop is running just linux and it does not exhibit the same behavior with Firefox. Same flavor as two vms I've looked at on my windows host that is running MB3. The VM I just created from image does the same thing. I can't explain it. What I said in a reply to my own thread in the blocked website section (original thread mentioned above) was that if I turn off two privacy features it stops attempting to connect. One of them is OCSP responders so maybe that makes sense but the reports of DDOS, hacking, extortion, etc from this IP are pretty alarming. Am I being gas-lighted by this abuseipdb.com ? From what I read on this site (MB) this is not an issue, but according to that (abuseipdb) site there is a big problem with this ip. Are hackers doing social engineering planted reports on that site to freak people out because they know connections to it are widespread? Or is this really an issue? I have read two other forum posts about this ip address. One said MB was producing a lot of false positives with Mozilla products on this IP. nslookup ocsp.digicert.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: ocsp.digicert.com canonical name = cs9.wac.phicdn.net. Name: cs9.wac.phicdn.net Address: 72.21.91.29 I noticed today that every version of firefox I run, from my windows host running MB, to my two linux VMs show this IP address as having a connection in firefox. After investigating, I have mixed information about whether or not this IP address should be blocked by MB or if it is really a certificate authority (or whatever you call it). When I start Firefox I do lsof (linux) or netstat (windows) and see that it starts a connection to this ip address (a connection which is maintained over port 80). My extensions are https everywhere, ublock origin, decentraleyes, cookie autodelete. Given the above information I would be at ease but then I read the reports on this website about people getting hacked through it: https://www.abuseipdb.com/check/72.21.91.29 Some examples (there are more, and they are all pretty recent) 27 Nov 2018 This guy bought an ssl certificate, BUT... if you run an Nmap scan, you will see that it is just a router, not an ssl server 06 Jan 2019 Secretly records unwanted video and spoofs users on Facebook purporting to be a real person when it is actually a bot. Uses server techniques to create a fake account that can hack into user's personal data without appearing on Facebook. Is determined to exploit servers in order to reveal nudity/other-sexual-content on public social media (e.g. YouTube, Facebook, WhatsApp) to humiliate. Exploits personal information in order to commit extortion by threatening users to give away bank information. The threat includes the user being publicly humiliated/ by accessing personal information, without consent of the user, if he/she does not pay a large sum of money ($8000-10000) to prevent the information from being revealed publicly . Repeatedly contacts the user if the user disconnects from the call/text message, through other forms of social media that the user may be logged into. The user is blackmailed to send a large sum of money through either a fraudulent phone number or email. 22 Feb 2019 This IP was just seen on my Windows system using netstat. Unplugged my router/modem. Why would Verizon be connected to my pc. I've ran scans with Malwarebytes, rogue killer, I've ran rootkit scans and nothing malicious is found. Guess I should wipe the system and start over. DDoS Attack FTP Brute-Force Fraud VoIP Port Scan Hacking Brute-Force Exploited Host Web App Attack SSH"
  7. Would it be a big problem if someone hacked the cert site that Firefox uses to confirm web pages? Seems like this could make for a widespread problem but admittedly I don't know. Some people I talk to, and in fact one of my other computers, don't have this ip connection even with those options checked.
  8. I have found when I disable two options under privacy and security in FireFox, these connections go away. "Block dangerous and deceptive content" "Query OCSP responder servers to confirm the current validity of certificates" So I guess it's likely this abuseipdb is being exploited to sow fear?
  9. Should MB take another look at this IP address? Am I being gas-lighted by this abuseipdb.com ? From what I read on this site this is not an issue, but according to that site there is a big problem with this ip. Are hackers doing social engineering planted reports on that site to freak people out because they know connections to it are widespread? Or is this really an issue? I run MB3 on my host. I have read two other forum posts about this ip address. One said MB was producing a lot of false positives with Mozilla products on this IP. nslookup ocsp.digicert.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: ocsp.digicert.com canonical name = cs9.wac.phicdn.net. Name: cs9.wac.phicdn.net Address: 72.21.91.29 I noticed today that every version of firefox I run, from my windows host running MB, to my two linux VMs show this IP address as having a connection in firefox. After investigating, I have mixed information about whether or not this IP address should be blocked by MB or if it is really a certificate authority (or whatever you call it). When I start Firefox I do lsof (linux) or netstat (windows) and see that it starts a connection to this ip address (a connection which is maintained over port 80). My extensions are https everywhere, ublock origin, decentraleyes, cookie autodelete. Given the above information I would be at ease but then I read the reports on this website about people getting hacked through it: https://www.abuseipdb.com/check/72.21.91.29 Some examples (there are more, and they are all pretty recent) 27 Nov 2018 This guy bought an ssl certificate, BUT... if you run an Nmap scan, you will see that it is just a router, not an ssl server 06 Jan 2019 Secretly records unwanted video and spoofs users on Facebook purporting to be a real person when it is actually a bot. Uses server techniques to create a fake account that can hack into user's personal data without appearing on Facebook. Is determined to exploit servers in order to reveal nudity/other-sexual-content on public social media (e.g. YouTube, Facebook, WhatsApp) to humiliate. Exploits personal information in order to commit extortion by threatening users to give away bank information. The threat includes the user being publicly humiliated/ by accessing personal information, without consent of the user, if he/she does not pay a large sum of money ($8000-10000) to prevent the information from being revealed publicly . Repeatedly contacts the user if the user disconnects from the call/text message, through other forms of social media that the user may be logged into. The user is blackmailed to send a large sum of money through either a fraudulent phone number or email. 22 Feb 2019 This IP was just seen on my Windows system using netstat. Unplugged my router/modem. Why would Verizon be connected to my pc. I've ran scans with Malwarebytes, rogue killer, I've ran rootkit scans and nothing malicious is found. Guess I should wipe the system and start over. DDoS Attack FTP Brute-Force Fraud VoIP Port Scan Hacking Brute-Force Exploited Host Web App Attack SSH"
  10. This should be {redacted actual email SENDER before the @ symbol } @bounce.malwarebytes.com
  11. Forgive me if this is in the wrong section but I believe this is at least tangentially related to my MB subscription. I am looking at my spam filter's logs today and I see what looks like a rejected email from Malwarebytes today. I don't want to miss notifications about possible attacks so I am wondering if this is a legit email. I ask because it's going to an email address I had when I signed up for Malwarebytes, but one which is not associated with my subscriptions now. I unfortunately don't have the raw header, at least in my noobishness I don't think I do. I do have the logs though. the email address was {redacted actual email subject before the @ symbol } @bounce.malwarebytes.com Here's the rest of the log info I have that I think is relevant: mta.malwarebytes.com 136.147.184.35 United States spam (no subject) rejected Additionally there is no From in the logs. So no subject and no from makes me think it's spam. Also, the IP address whois information is some other marketing company called ExactTarget and not Malwarebytes. Last thing, though. An nslookup resulted in the following: Non-authoritative answer: Name: mta.malwarebytes.com Address: 136.147.184.35 Should I ignore this or try to figure out why MB may be sending emails to an old address?
  12. Forgot to mention that it is possible that if your email address and password were taken in a breach they CAN do bad things so as everyone is saying make sure you change your password. Also, it is a really bad idea to share passwords amongst different sites. It is a pain to do, but you should have a strong password that is unique to each account you have online. By the way, these people are stealing not only passwords and email but phone numbers, challenge question answers(think mother's maiden name etc), and other personal information. None of that is proof they have hacked your device.
  13. If you have the ability to open your SMTP header for the email you will most likely see (I would bet my house on it) that they are "spoofing" your email address. There are many different types of these email scams going around now. Some ask for bitcoin, some tell you to click on a link to see evidence. If you click on any links you WILL get malware. Report this to your email provider or buy a SPAM filter if you run your own server.
  14. Oh all those files not quarantined are gone. I deleted that mail account from Mail and after backing up that account to PST (yes, need to be careful with this pst) I deleted that and 2 other mail accounts. Thank you again.
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.