Jump to content

Hornsj2

Members
  • Content Count

    29
  • Joined

  • Last visited

About Hornsj2

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. OK please close this thread. Malwarebytes staff and volunteers always do a great job and provide a much needed service. This is not your issue, but as for that link, it probably isn't related but either I misconfigured something or it was malicious because my router started attempting to perform a very large number of DNS queries. Restored from previous config. I posted the url to virustotal and it had no problem with it, and I used MB, Norton Power Eraser, and a full Norton system scan and they came up with nothing so I think I'm good to go. I thought last time I was here I saw donates on signatures. Please let me know if you have a place to make a small donation.
  2. Hi, thank you for the reply. If you wouldn't mind leaving this open for another day or so, I am troubleshooting some router configuration changes and in the middle of it I clicked on some link to explain some settings and my browser has been unable to navigate to some sites. I ask for the day so I can make sure I didn't misconfigure something.
  3. Hi there. Thank you for the response, and for MB checking that IP address. I think I did it AGAIN (posted to wrong forum). I took this section of the forum description "...get advice from tech experts and fellow users. Learn how to optimize Malwarebytes 3 for your needs and ensure it’s doing everything it can to protect you from online threats like spyware, ransomware, and Trojans. ..." to mean it was for generally safety discussion and not for malware removal. My license is for Malwarebytes 3.x premium for Windows. I did open a thread shortly after my last post to this thread asking for help. To be honest, I'd like to know if something is on my machine. I've been waiting in the Windows help section for someone to free up. I've already posted there and figured as soon as everyone was done with the obvious infection cases they would pick out my situation. I mean I see over there that some people clearly have problems and maybe I'm just paranoid about malware.
  4. I've spent the last 14 hours or so analyzing my network and doing research on this topic. It turns out firefox makes 2 connections when it starts up. One of them is to akamai technologies. The request is over https, and looking at shodan output for that website it lists the following certificate information: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt So that would explain why it's doing what it's doing. I used wireshark and burp to look at the request/responses for OCSP and also to monitor the traffic going to this IP address and it all looks to me like it's legit. All of that being said, since I put the logs up would it be possible to still get a fixlist? I did run power eraser a couple days ago and it found a bad registry entry for internet explorer, which I don't use, that allowed downloading files from internet zone (zone 3?). not overly familiar with that but I'm pretty sure I've run power eraser since I installed my OS a few months ago and that was not present. Would be willing to donate.
  5. First one is of one of my VMs. I also had that IP connection over port 80 on my windows host that runs firefox with the same extensions (and has MB3 on it). Second one is the Burp Suite request to the address. This is the address listed in the certificate. Problems are. 1. This doesn't happen on my other computer (but it does happen on every virtual machine I run on THIS host, regardless of the OS). 2. On my home page, even when set to a local file, it sends out this request. 3. A connection over http is made and maintained with this IP. I haven't read the OCSP protocol spec so maybe that's normal.
  6. FRST.txtAddition.txtMBThreat.txt
  7. OK I have decided to seek help to determine if my computer is infected. Attached are the logs. Since the last time I was here 4 months ago I have done a nuke and pave on my system so everything should have been installed within the last few months. You will notice a c:\hackAgain folder. I created this folder myself to store research into this ip connection issue I have put on the other section of the forums (about firefox connecting to ocsp.digicert.com). I must say I see no evidence of malware on my system but given what people are writing (even as up to date as 2 hours at the time I write this) about that ip address and what it's doing to people, and that I have had a connection established to it for god knows how long, I want to make sure. I have some tools downloaded here like Kali, GHIDRA, Burp etc because I'm starting to get really interested in security and bug bounty since my last potential hack incident.
  8. You can go ahead and close this. I don't think this is a MB problem and although I'm going to do more analysis of my network, I can't say right now I think I'm infected with anything.
  9. I apologize for putting this in the wrong section of the forums.
  10. Sorry for cross posting this with the other forum section but I think I put it in the wrong place and I didn't now how to move it, or if that is possible. Should MB take another look at this IP address? I run MB3 on my host and on that host + every vm I run off that host (flavors of linux) firefox tries to connect to that site. HOWEVER, my laptop is running just linux and it does not exhibit the same behavior with Firefox. Same flavor as two vms I've looked at on my windows host that is running MB3. The VM I just created from image does the same thing. I can't explain it. What I said in a reply to my own thread in the blocked website section (original thread mentioned above) was that if I turn off two privacy features it stops attempting to connect. One of them is OCSP responders so maybe that makes sense but the reports of DDOS, hacking, extortion, etc from this IP are pretty alarming. Am I being gas-lighted by this abuseipdb.com ? From what I read on this site (MB) this is not an issue, but according to that (abuseipdb) site there is a big problem with this ip. Are hackers doing social engineering planted reports on that site to freak people out because they know connections to it are widespread? Or is this really an issue? I have read two other forum posts about this ip address. One said MB was producing a lot of false positives with Mozilla products on this IP. nslookup ocsp.digicert.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: ocsp.digicert.com canonical name = cs9.wac.phicdn.net. Name: cs9.wac.phicdn.net Address: 72.21.91.29 I noticed today that every version of firefox I run, from my windows host running MB, to my two linux VMs show this IP address as having a connection in firefox. After investigating, I have mixed information about whether or not this IP address should be blocked by MB or if it is really a certificate authority (or whatever you call it). When I start Firefox I do lsof (linux) or netstat (windows) and see that it starts a connection to this ip address (a connection which is maintained over port 80). My extensions are https everywhere, ublock origin, decentraleyes, cookie autodelete. Given the above information I would be at ease but then I read the reports on this website about people getting hacked through it: https://www.abuseipdb.com/check/72.21.91.29 Some examples (there are more, and they are all pretty recent) 27 Nov 2018 This guy bought an ssl certificate, BUT... if you run an Nmap scan, you will see that it is just a router, not an ssl server 06 Jan 2019 Secretly records unwanted video and spoofs users on Facebook purporting to be a real person when it is actually a bot. Uses server techniques to create a fake account that can hack into user's personal data without appearing on Facebook. Is determined to exploit servers in order to reveal nudity/other-sexual-content on public social media (e.g. YouTube, Facebook, WhatsApp) to humiliate. Exploits personal information in order to commit extortion by threatening users to give away bank information. The threat includes the user being publicly humiliated/ by accessing personal information, without consent of the user, if he/she does not pay a large sum of money ($8000-10000) to prevent the information from being revealed publicly . Repeatedly contacts the user if the user disconnects from the call/text message, through other forms of social media that the user may be logged into. The user is blackmailed to send a large sum of money through either a fraudulent phone number or email. 22 Feb 2019 This IP was just seen on my Windows system using netstat. Unplugged my router/modem. Why would Verizon be connected to my pc. I've ran scans with Malwarebytes, rogue killer, I've ran rootkit scans and nothing malicious is found. Guess I should wipe the system and start over. DDoS Attack FTP Brute-Force Fraud VoIP Port Scan Hacking Brute-Force Exploited Host Web App Attack SSH"
  11. Would it be a big problem if someone hacked the cert site that Firefox uses to confirm web pages? Seems like this could make for a widespread problem but admittedly I don't know. Some people I talk to, and in fact one of my other computers, don't have this ip connection even with those options checked.
  12. I have found when I disable two options under privacy and security in FireFox, these connections go away. "Block dangerous and deceptive content" "Query OCSP responder servers to confirm the current validity of certificates" So I guess it's likely this abuseipdb is being exploited to sow fear?
  13. Should MB take another look at this IP address? Am I being gas-lighted by this abuseipdb.com ? From what I read on this site this is not an issue, but according to that site there is a big problem with this ip. Are hackers doing social engineering planted reports on that site to freak people out because they know connections to it are widespread? Or is this really an issue? I run MB3 on my host. I have read two other forum posts about this ip address. One said MB was producing a lot of false positives with Mozilla products on this IP. nslookup ocsp.digicert.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: ocsp.digicert.com canonical name = cs9.wac.phicdn.net. Name: cs9.wac.phicdn.net Address: 72.21.91.29 I noticed today that every version of firefox I run, from my windows host running MB, to my two linux VMs show this IP address as having a connection in firefox. After investigating, I have mixed information about whether or not this IP address should be blocked by MB or if it is really a certificate authority (or whatever you call it). When I start Firefox I do lsof (linux) or netstat (windows) and see that it starts a connection to this ip address (a connection which is maintained over port 80). My extensions are https everywhere, ublock origin, decentraleyes, cookie autodelete. Given the above information I would be at ease but then I read the reports on this website about people getting hacked through it: https://www.abuseipdb.com/check/72.21.91.29 Some examples (there are more, and they are all pretty recent) 27 Nov 2018 This guy bought an ssl certificate, BUT... if you run an Nmap scan, you will see that it is just a router, not an ssl server 06 Jan 2019 Secretly records unwanted video and spoofs users on Facebook purporting to be a real person when it is actually a bot. Uses server techniques to create a fake account that can hack into user's personal data without appearing on Facebook. Is determined to exploit servers in order to reveal nudity/other-sexual-content on public social media (e.g. YouTube, Facebook, WhatsApp) to humiliate. Exploits personal information in order to commit extortion by threatening users to give away bank information. The threat includes the user being publicly humiliated/ by accessing personal information, without consent of the user, if he/she does not pay a large sum of money ($8000-10000) to prevent the information from being revealed publicly . Repeatedly contacts the user if the user disconnects from the call/text message, through other forms of social media that the user may be logged into. The user is blackmailed to send a large sum of money through either a fraudulent phone number or email. 22 Feb 2019 This IP was just seen on my Windows system using netstat. Unplugged my router/modem. Why would Verizon be connected to my pc. I've ran scans with Malwarebytes, rogue killer, I've ran rootkit scans and nothing malicious is found. Guess I should wipe the system and start over. DDoS Attack FTP Brute-Force Fraud VoIP Port Scan Hacking Brute-Force Exploited Host Web App Attack SSH"
  14. This should be {redacted actual email SENDER before the @ symbol } @bounce.malwarebytes.com
  15. Forgive me if this is in the wrong section but I believe this is at least tangentially related to my MB subscription. I am looking at my spam filter's logs today and I see what looks like a rejected email from Malwarebytes today. I don't want to miss notifications about possible attacks so I am wondering if this is a legit email. I ask because it's going to an email address I had when I signed up for Malwarebytes, but one which is not associated with my subscriptions now. I unfortunately don't have the raw header, at least in my noobishness I don't think I do. I do have the logs though. the email address was {redacted actual email subject before the @ symbol } @bounce.malwarebytes.com Here's the rest of the log info I have that I think is relevant: mta.malwarebytes.com 136.147.184.35 United States spam (no subject) rejected Additionally there is no From in the logs. So no subject and no from makes me think it's spam. Also, the IP address whois information is some other marketing company called ExactTarget and not Malwarebytes. Last thing, though. An nslookup resulted in the following: Non-authoritative answer: Name: mta.malwarebytes.com Address: 136.147.184.35 Should I ignore this or try to figure out why MB may be sending emails to an old address?
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.