Jump to content
alwaysthinking

"Successfully blocked access to a potentially malicious website"?

Recommended Posts

Please post the most recent protection logs for the past couple of days.  There really isn't too much we can do about a remote site doing probes except keep blocking them.

Share this post


Link to post
Share on other sites

So what was the purpose of downloading all of these programs and doing all of these scans?

 

2014/03/21 12:25:21 -0500 TIM-PC Timothy MESSAGE Executing scheduled update:  Daily
2014/03/21 12:25:45 -0500 TIM-PC Timothy MESSAGE Scheduled update executed successfully:  database updated from version v2014.03.19.06 to version v2014.03.21.06
2014/03/21 12:25:45 -0500 TIM-PC Timothy MESSAGE Starting database refresh
2014/03/21 12:25:45 -0500 TIM-PC Timothy MESSAGE Stopping IP protection
2014/03/21 12:25:50 -0500 TIM-PC Timothy MESSAGE IP Protection stopped successfully
2014/03/21 12:28:13 -0500 TIM-PC Timothy MESSAGE Database refreshed successfully
2014/03/21 12:28:13 -0500 TIM-PC Timothy MESSAGE Starting IP protection
2014/03/21 12:28:18 -0500 TIM-PC Timothy MESSAGE IP Protection started successfully
2014/03/21 14:59:06 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 6657, Process: svchost.exe)
2014/03/21 14:59:06 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 6657, Process: svchost.exe)
2014/03/21 16:21:55 -0500 TIM-PC Timothy IP-BLOCK 93.174.95.119 (Type: incoming, Port: 80, Process: svchost.exe)
2014/03/21 16:30:52 -0500 TIM-PC Timothy IP-BLOCK 80.82.70.117 (Type: incoming, Port: 21320, Process: svchost.exe)
2014/03/21 16:44:37 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 40991, Process: svchost.exe)
2014/03/21 21:02:35 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 46714, Process: svchost.exe)
2014/03/21 23:10:10 -0500 TIM-PC Timothy IP-BLOCK 222.186.34.183 (Type: incoming, Port: 22, Process: svchost.exe)
2014/03/21 23:10:18 -0500 TIM-PC Timothy IP-BLOCK 222.186.34.183 (Type: incoming, Port: 22, Process: svchost.exe)
2014/03/21 23:41:32 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.62 (Type: incoming, Port: 123, Process: svchost.exe)
 

 

2014/03/22 00:59:10 -0500 TIM-PC Timothy IP-BLOCK 222.186.61.230 (Type: incoming, Port: 203, Process: svchost.exe)
2014/03/22 00:59:10 -0500 TIM-PC Timothy IP-BLOCK 222.186.61.230 (Type: incoming, Port: 203, Process: svchost.exe)
2014/03/22 01:35:46 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 11129, Process: svchost.exe)
2014/03/22 02:12:57 -0500 TIM-PC Timothy IP-BLOCK 222.186.34.206 (Type: incoming, Port: 22, Process: svchost.exe)
2014/03/22 04:55:24 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 808, Process: svchost.exe)
2014/03/22 11:24:07 -0500 TIM-PC Timothy IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 51694, Process: chrome.exe)
2014/03/22 11:24:07 -0500 TIM-PC Timothy IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 51696, Process: chrome.exe)
2014/03/22 11:24:07 -0500 TIM-PC Timothy IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 51698, Process: chrome.exe)
2014/03/22 11:28:48 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 9934, Process: svchost.exe)
2014/03/22 11:28:48 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 9934, Process: svchost.exe)
2014/03/22 13:41:17 -0500 TIM-PC Timothy IP-BLOCK 80.82.78.100 (Type: incoming, Port: 53, Process: svchost.exe)
2014/03/22 13:41:17 -0500 TIM-PC Timothy IP-BLOCK 80.82.78.100 (Type: incoming, Port: 53, Process: svchost.exe)
2014/03/22 14:16:10 -0500 TIM-PC Timothy IP-BLOCK 93.174.95.60 (Type: incoming, Port: 5631, Process: svchost.exe)
2014/03/22 14:49:45 -0500 TIM-PC Timothy IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 54102, Process: chrome.exe)
2014/03/22 14:49:45 -0500 TIM-PC Timothy IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 54103, Process: chrome.exe)
2014/03/22 14:49:45 -0500 TIM-PC Timothy IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 54104, Process: chrome.exe)
2014/03/22 14:50:25 -0500 TIM-PC Timothy IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 54110, Process: chrome.exe)
2014/03/22 15:59:44 -0500 TIM-PC Timothy IP-BLOCK 117.41.229.188 (Type: incoming, Port: 445)
2014/03/22 16:13:46 -0500 TIM-PC Timothy IP-BLOCK 222.186.34.27 (Type: incoming, Port: 8080, Process: svchost.exe)
2014/03/22 20:19:04 -0500 TIM-PC Timothy IP-BLOCK 218.9.29.90 (Type: incoming, Port: 3306, Process: svchost.exe)
2014/03/22 21:41:50 -0500 TIM-PC (null) MESSAGE Starting protection
2014/03/22 21:41:50 -0500 TIM-PC (null) MESSAGE Protection started successfully
2014/03/22 21:41:50 -0500 TIM-PC (null) MESSAGE Starting IP protection
2014/03/22 21:41:52 -0500 TIM-PC (null) MESSAGE IP Protection started successfully
2014/03/22 22:05:58 -0500 TIM-PC Timothy MESSAGE Starting protection
2014/03/22 22:06:00 -0500 TIM-PC Timothy MESSAGE Protection started successfully
2014/03/22 22:06:00 -0500 TIM-PC Timothy MESSAGE Starting IP protection
2014/03/22 22:06:02 -0500 TIM-PC Timothy MESSAGE IP Protection started successfully
2014/03/22 22:19:31 -0500 TIM-PC Timothy MESSAGE Starting protection
2014/03/22 22:19:31 -0500 TIM-PC Timothy MESSAGE Protection started successfully
2014/03/22 22:19:31 -0500 TIM-PC Timothy MESSAGE Starting IP protection
2014/03/22 22:19:37 -0500 TIM-PC Timothy MESSAGE IP Protection started successfully
2014/03/22 22:37:38 -0500 TIM-PC Timothy IP-BLOCK 74.91.112.146 (Type: outgoing, Port: 60043, Process: hl2.exe)
2014/03/22 23:52:54 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 9898, Process: svchost.exe)
2014/03/22 23:52:54 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 9898, Process: svchost.exe)
2014/03/22 23:52:54 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 9898, Process: svchost.exe)
 

 

2014/03/23 01:05:35 -0500 TIM-PC Timothy IP-BLOCK 222.186.61.230 (Type: incoming, Port: 203, Process: svchost.exe)
2014/03/23 01:05:35 -0500 TIM-PC Timothy IP-BLOCK 222.186.61.230 (Type: incoming, Port: 203, Process: svchost.exe)
2014/03/23 02:10:03 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 59626, Process: svchost.exe)
2014/03/23 02:10:03 -0500 TIM-PC Timothy IP-BLOCK 93.174.93.51 (Type: incoming, Port: 59626, Process: svchost.exe)
2014/03/23 10:57:54 -0500 TIM-PC Timothy MESSAGE Starting protection
2014/03/23 10:57:55 -0500 TIM-PC Timothy MESSAGE Protection started successfully
2014/03/23 10:57:55 -0500 TIM-PC Timothy MESSAGE Starting IP protection
2014/03/23 10:57:57 -0500 TIM-PC Timothy MESSAGE IP Protection started successfully
2014/03/23 11:07:18 -0500 TIM-PC Timothy IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 59028, Process: chrome.exe)
2014/03/23 11:07:18 -0500 TIM-PC Timothy IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 59029, Process: chrome.exe)
2014/03/23 11:57:52 -0500 TIM-PC Timothy MESSAGE Executing scheduled update:  Daily
2014/03/23 11:57:58 -0500 TIM-PC Timothy MESSAGE Starting database refresh
2014/03/23 11:57:58 -0500 TIM-PC Timothy MESSAGE Stopping IP protection
2014/03/23 11:57:58 -0500 TIM-PC Timothy MESSAGE Scheduled update executed successfully:  database updated from version v2014.03.21.06 to version v2014.03.23.08
2014/03/23 11:57:58 -0500 TIM-PC Timothy MESSAGE IP Protection stopped successfully
2014/03/23 11:58:13 -0500 TIM-PC Timothy MESSAGE Database refreshed successfully
2014/03/23 11:58:13 -0500 TIM-PC Timothy MESSAGE Starting IP protection
2014/03/23 11:58:14 -0500 TIM-PC Timothy MESSAGE IP Protection started successfully
2014/03/23 19:02:09 -0500 TIM-PC Timothy IP-BLOCK 74.91.112.146 (Type: outgoing, Port: 64585, Process: hl2.exe)
2014/03/23 20:36:43 -0500 TIM-PC Timothy IP-BLOCK 91.206.200.150 (Type: incoming, Port: 40958, Process: svchost.exe)
2014/03/23 20:37:07 -0500 TIM-PC Timothy IP-BLOCK 91.206.200.150 (Type: incoming, Port: 17856, Process: svchost.exe)
2014/03/23 20:38:11 -0500 TIM-PC Timothy IP-BLOCK 80.82.64.130 (Type: incoming, Port: 80, Process: svchost.exe)
2014/03/23 20:38:11 -0500 TIM-PC Timothy IP-BLOCK 80.82.64.130 (Type: incoming, Port: 80, Process: svchost.exe)
2014/03/23 21:19:15 -0500 TIM-PC Timothy IP-BLOCK 37.221.166.123 (Type: incoming, Port: 5631, Process: svchost.exe)
 

Share this post


Link to post
Share on other sites

We needed to check and make sure the computer is not infected.  The scans do not show that it is. 

 

 

You have a couple sites - Netherlands and China that are probing your system which could be due to some type of previous infection or someone simply looking for an opening.

 

Keep your Windows updates and security updates up to date at all times. 

 

If you're using the Windows firewall you can start an elevated admin command prompt and type the following to block this IP address at the firewall level.

Click on START and type in CMD.EXE and when it shows on the menu right click over it and choose "Run as administrator" then type the following exactly and press the Enter key.   You should get an OK for each line.  You can add other addresses if needed to block.

netsh advfirewall firewall add rule name="BlockBad" protocol=any dir=in action=block remoteip=222.186.61.230netsh advfirewall firewall add rule name="BlockBad" protocol=any dir=out action=block remoteip=222.186.61.230

Share this post


Link to post
Share on other sites

Here is a list of known port nubmers


These are incoming blocks that come from a remote system into your computer.
As you can see many of them are the same IP but a different port which is typical of port scanning looking for an open port to attack.
Actually happens quite often but if you don'thave a firewall or other product to show it happening users often don't know it's happening.

IP-BLOCK 117.41.229.188 (Type: incoming, Port: 445)  117.41.229.188 is from China(CN) in region Southern and Eastern Asia
IP-BLOCK 218.9.29.90 (Type: incoming, Port: 3306, Process: svchost.exe)     218.9.29.90 is from China(CN) in region Southern and Eastern Asia
IP-BLOCK 222.186.34.183 (Type: incoming, Port: 22, Process: svchost.exe)    222.186.34.183 is from China(CN) in region Southern and Eastern Asia
IP-BLOCK 222.186.34.206 (Type: incoming, Port: 22, Process: svchost.exe)    222.186.34.206 is from China(CN) in region Southern and Eastern Asia
IP-BLOCK 222.186.34.27 (Type: incoming, Port: 8080, Process: svchost.exe)   222.186.34.27 is from China(CN) in region Southern and Eastern Asia
IP-BLOCK 222.186.61.230 (Type: incoming, Port: 203, Process: svchost.exe)   222.186.34.27 is from China(CN) in region Southern and Eastern Asia
IP-BLOCK 37.221.166.123 (Type: incoming, Port: 5631, Process: svchost.exe)  37.221.166.123 is from Romania(RO) in region Eastern Europe
IP-BLOCK 80.82.64.130 (Type: incoming, Port: 80, Process: svchost.exe)      80.82.64.130 is from Netherlands(NL) in region Western Europe
IP-BLOCK 80.82.70.117 (Type: incoming, Port: 21320, Process: svchost.exe)   80.82.70.117 is from Netherlands(NL) in region Western Europe
IP-BLOCK 80.82.78.100 (Type: incoming, Port: 53, Process: svchost.exe)      80.82.78.100 is from Netherlands(NL) in region Western Europe
IP-BLOCK 91.206.200.150 (Type: incoming, Port: 17856, Process: svchost.exe) 91.206.200.150 is from Ukraine(UA) in region Eastern Europe
IP-BLOCK 91.206.200.150 (Type: incoming, Port: 40958, Process: svchost.exe) 91.206.200.150 is from Ukraine(UA) in region Eastern Europe
IP-BLOCK 93.174.93.51 (Type: incoming, Port: 11129, Process: svchost.exe)   93.174.93.51 is from Netherlands(NL) in region Western Europe
IP-BLOCK 93.174.93.51 (Type: incoming, Port: 40991, Process: svchost.exe)
IP-BLOCK 93.174.93.51 (Type: incoming, Port: 46714, Process: svchost.exe)
IP-BLOCK 93.174.93.51 (Type: incoming, Port: 59626, Process: svchost.exe)
IP-BLOCK 93.174.93.51 (Type: incoming, Port: 6657, Process: svchost.exe)
IP-BLOCK 93.174.93.51 (Type: incoming, Port: 808, Process: svchost.exe)
IP-BLOCK 93.174.93.51 (Type: incoming, Port: 9898, Process: svchost.exe)
IP-BLOCK 93.174.93.51 (Type: incoming, Port: 9934, Process: svchost.exe)
IP-BLOCK 93.174.93.62 (Type: incoming, Port: 123, Process: svchost.exe)     93.174.93.62 is from Netherlands(NL) in region Western Europe
IP-BLOCK 93.174.95.119 (Type: incoming, Port: 80, Process: svchost.exe)     93.174.95.119 is from Netherlands(NL) in region Western Europe
IP-BLOCK 93.174.95.60 (Type: incoming, Port: 5631, Process: svchost.exe)    93.174.95.60 is from Netherlands(NL) in region Western Europe



These blocks are outgoing and more than likely due to an Advertisment on some site you were on.  Wouldn't want to see them ALL the time but pretty normal to see them from time to time.

IP-BLOCK 72.21.215.133 (Type: outgoing, Port: 59029, Process: chrome.exe)   72.21.215.133 is from United States(US) in region North America
IP-BLOCK 74.91.112.146 (Type: outgoing, Port: 60043, Process: hl2.exe)      74.91.112.146 is from United States(US) in region North America

Please do the following temporarily.  Download TCPVIEW by Microsoft and save it to your computer.
Then temporarily disable the MBAM Web protection.  Then run the TCPVIEW program using elevated Admin rights.
Then let it run for a bit and export the list every few minutes or so till you have 5 or 6 file exports.  Then attach those exports and I'll review them to verify if TCPView is also finding sites that are on our block lists or not.

Share this post


Link to post
Share on other sites

Simply right click over the program and choose "Run as administrator" to run it with elevated admin rights.

No you should not need to do anything different with your antivirus or Internet connection.  We're trying to confirm if MBAM is the only one seeing this or if other programs also see these IP addresses.

Share this post


Link to post
Share on other sites

But MBAM gives me notifications very sporadically, sometimes once an hour and then sometimes several hours after that. Will creating an export every few minutes catch anything?

Share this post


Link to post
Share on other sites

Try to catch it if/when you see MBAM doing it.  See if you can confirm if there is any type of connection with said IP but also try on your own from time to time because in some cases if we block it then it may not show on the TCPView list either.

 

Just trying to rule out and make sure that there is not some type of conflict with other software that is possibly causing a false report for you.  Getting scanned from time to time is normal but one should not typically keep getting scanned for weeks.

Share this post


Link to post
Share on other sites

You can try but typically what  happens is that a connection is made, then its released from cache once no activity is going on so it won't show.  I can try to work on a batch file to do this for us.  Send me a PM reminder if you don't hear back from me by the morning.

 

Thanks

Share this post


Link to post
Share on other sites

I understand to some degree but take a look at your MBAM protection logs and see if you can see any pattern or time that you think it's happening.

You can also run the tool more than once but move the log and rename it something else each time you run it so that it does not get overwritten.

Share this post


Link to post
Share on other sites

Well not really sure what to tell you.  It's not normal to continue to get multiple incoming IP blocks for weeks at a time.  That leads me to suspect that maybe our software is in conflict with your antivirus or something else and triggering these detections.  Thus having another tool to verify is needed.  You could try installing one of the free firewalls out there and see if it too is seeing these addresses probing your computer or not.

 

All the scans we've run are coming back clean as well and the logs are not showing outgoing IP blocks except 1 or 2 where you were probably one web page with advertising going on.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.