Jump to content

Hornsj2

Members
  • Content Count

    32
  • Joined

  • Last visited

About Hornsj2

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. @gatortail Thank you. I was referring to the advantage of being able to configure my router. While at home I don't need to have an application on any device. Anything on my internal network will automatically be on the VPN. s
  2. Thank you for the quick response. I will take a look at WireGuard and see if it's worth it to stop using my current provider. I trust MB more than them, but It's really convenient to have my smart devices and phone on my vpn with no effort or installation. Have a good one.
  3. Is this based on OpenVPN? I am interested in possibly switching from my current provider, but I want to configure this at my router level, and not just have it as a desktop app.
  4. OK please close this thread. Malwarebytes staff and volunteers always do a great job and provide a much needed service. This is not your issue, but as for that link, it probably isn't related but either I misconfigured something or it was malicious because my router started attempting to perform a very large number of DNS queries. Restored from previous config. I posted the url to virustotal and it had no problem with it, and I used MB, Norton Power Eraser, and a full Norton system scan and they came up with nothing so I think I'm good to go. I thought last time I was here I saw donates on signatures. Please let me know if you have a place to make a small donation.
  5. Hi, thank you for the reply. If you wouldn't mind leaving this open for another day or so, I am troubleshooting some router configuration changes and in the middle of it I clicked on some link to explain some settings and my browser has been unable to navigate to some sites. I ask for the day so I can make sure I didn't misconfigure something.
  6. Hi there. Thank you for the response, and for MB checking that IP address. I think I did it AGAIN (posted to wrong forum). I took this section of the forum description "...get advice from tech experts and fellow users. Learn how to optimize Malwarebytes 3 for your needs and ensure it’s doing everything it can to protect you from online threats like spyware, ransomware, and Trojans. ..." to mean it was for generally safety discussion and not for malware removal. My license is for Malwarebytes 3.x premium for Windows. I did open a thread shortly after my last post to this thread asking for help. To be honest, I'd like to know if something is on my machine. I've been waiting in the Windows help section for someone to free up. I've already posted there and figured as soon as everyone was done with the obvious infection cases they would pick out my situation. I mean I see over there that some people clearly have problems and maybe I'm just paranoid about malware.
  7. I've spent the last 14 hours or so analyzing my network and doing research on this topic. It turns out firefox makes 2 connections when it starts up. One of them is to akamai technologies. The request is over https, and looking at shodan output for that website it lists the following certificate information: Authority Information Access: OCSP - URI:http://ocsp.digicert.com CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt So that would explain why it's doing what it's doing. I used wireshark and burp to look at the request/responses for OCSP and also to monitor the traffic going to this IP address and it all looks to me like it's legit. All of that being said, since I put the logs up would it be possible to still get a fixlist? I did run power eraser a couple days ago and it found a bad registry entry for internet explorer, which I don't use, that allowed downloading files from internet zone (zone 3?). not overly familiar with that but I'm pretty sure I've run power eraser since I installed my OS a few months ago and that was not present. Would be willing to donate.
  8. First one is of one of my VMs. I also had that IP connection over port 80 on my windows host that runs firefox with the same extensions (and has MB3 on it). Second one is the Burp Suite request to the address. This is the address listed in the certificate. Problems are. 1. This doesn't happen on my other computer (but it does happen on every virtual machine I run on THIS host, regardless of the OS). 2. On my home page, even when set to a local file, it sends out this request. 3. A connection over http is made and maintained with this IP. I haven't read the OCSP protocol spec so maybe that's normal.
  9. OK I have decided to seek help to determine if my computer is infected. Attached are the logs. Since the last time I was here 4 months ago I have done a nuke and pave on my system so everything should have been installed within the last few months. You will notice a c:\hackAgain folder. I created this folder myself to store research into this ip connection issue I have put on the other section of the forums (about firefox connecting to ocsp.digicert.com). I must say I see no evidence of malware on my system but given what people are writing (even as up to date as 2 hours at the time I write this) about that ip address and what it's doing to people, and that I have had a connection established to it for god knows how long, I want to make sure. I have some tools downloaded here like Kali, GHIDRA, Burp etc because I'm starting to get really interested in security and bug bounty since my last potential hack incident.
  10. You can go ahead and close this. I don't think this is a MB problem and although I'm going to do more analysis of my network, I can't say right now I think I'm infected with anything.
  11. I apologize for putting this in the wrong section of the forums.
  12. Sorry for cross posting this with the other forum section but I think I put it in the wrong place and I didn't now how to move it, or if that is possible. Should MB take another look at this IP address? I run MB3 on my host and on that host + every vm I run off that host (flavors of linux) firefox tries to connect to that site. HOWEVER, my laptop is running just linux and it does not exhibit the same behavior with Firefox. Same flavor as two vms I've looked at on my windows host that is running MB3. The VM I just created from image does the same thing. I can't explain it. What I said in a reply to my own thread in the blocked website section (original thread mentioned above) was that if I turn off two privacy features it stops attempting to connect. One of them is OCSP responders so maybe that makes sense but the reports of DDOS, hacking, extortion, etc from this IP are pretty alarming. Am I being gas-lighted by this abuseipdb.com ? From what I read on this site (MB) this is not an issue, but according to that (abuseipdb) site there is a big problem with this ip. Are hackers doing social engineering planted reports on that site to freak people out because they know connections to it are widespread? Or is this really an issue? I have read two other forum posts about this ip address. One said MB was producing a lot of false positives with Mozilla products on this IP. nslookup ocsp.digicert.com Server: 127.0.1.1 Address: 127.0.1.1#53 Non-authoritative answer: ocsp.digicert.com canonical name = cs9.wac.phicdn.net. Name: cs9.wac.phicdn.net Address: 72.21.91.29 I noticed today that every version of firefox I run, from my windows host running MB, to my two linux VMs show this IP address as having a connection in firefox. After investigating, I have mixed information about whether or not this IP address should be blocked by MB or if it is really a certificate authority (or whatever you call it). When I start Firefox I do lsof (linux) or netstat (windows) and see that it starts a connection to this ip address (a connection which is maintained over port 80). My extensions are https everywhere, ublock origin, decentraleyes, cookie autodelete. Given the above information I would be at ease but then I read the reports on this website about people getting hacked through it: https://www.abuseipdb.com/check/72.21.91.29 Some examples (there are more, and they are all pretty recent) 27 Nov 2018 This guy bought an ssl certificate, BUT... if you run an Nmap scan, you will see that it is just a router, not an ssl server 06 Jan 2019 Secretly records unwanted video and spoofs users on Facebook purporting to be a real person when it is actually a bot. Uses server techniques to create a fake account that can hack into user's personal data without appearing on Facebook. Is determined to exploit servers in order to reveal nudity/other-sexual-content on public social media (e.g. YouTube, Facebook, WhatsApp) to humiliate. Exploits personal information in order to commit extortion by threatening users to give away bank information. The threat includes the user being publicly humiliated/ by accessing personal information, without consent of the user, if he/she does not pay a large sum of money ($8000-10000) to prevent the information from being revealed publicly . Repeatedly contacts the user if the user disconnects from the call/text message, through other forms of social media that the user may be logged into. The user is blackmailed to send a large sum of money through either a fraudulent phone number or email. 22 Feb 2019 This IP was just seen on my Windows system using netstat. Unplugged my router/modem. Why would Verizon be connected to my pc. I've ran scans with Malwarebytes, rogue killer, I've ran rootkit scans and nothing malicious is found. Guess I should wipe the system and start over. DDoS Attack FTP Brute-Force Fraud VoIP Port Scan Hacking Brute-Force Exploited Host Web App Attack SSH"
  13. Would it be a big problem if someone hacked the cert site that Firefox uses to confirm web pages? Seems like this could make for a widespread problem but admittedly I don't know. Some people I talk to, and in fact one of my other computers, don't have this ip connection even with those options checked.
  14. I have found when I disable two options under privacy and security in FireFox, these connections go away. "Block dangerous and deceptive content" "Query OCSP responder servers to confirm the current validity of certificates" So I guess it's likely this abuseipdb is being exploited to sow fear?
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.