Tracking that Malicious Site.

[ausgumbie]

First, my apologies if I'm posting this to the wrong area of the forums, and I'm happy to have this thread moved to wherever it's more appropriate.

 

I run Malwarebytes Anti-Malware Premium 2.0.2.1012 (Build Date: 13/05/2014) and, despite the criticism it seems to get from time to time, I'm happy with it for the job it does.

 

From time to time we users get little pop-ups telling us that Malicious Site "###.##.##.###.##" has been blocked. Today I got four pop-ups in a row for the same incoming computer. (I'm not up on the proper terminology but I gather that's four "pings"?)

 

Anyhow, being annoyed, I tried to find the domain name - or at least the origin - of the unwanted "doorknocker". I tried CentralOps.net and Convert Host/Domain Name to IP Address and vice versa. The latter gave the country of origin ("China" with "95% probability"). CentralOps.net seemed completely stumped.

 

Anyone know of better backtracking sites? Most grateful if you do.

 

Cheers

 

ausgumbie

[noknojon]

Hi ausgumbie,

With the IP number that you have omitted, I / we usually start with Google and see if it turns up an entry.

 

You seem to have used this "blind method" as your option also.

 

This can be a "crawler" bot fishing for any open chanels, or for specific targets to enter and leave a "spy deposit" or infection.

These are not unusual if you use Torrent programs, as they will then lock onto you as a future target.

 

Do you have any particular program open / in use at the time of these hits, as this can often help ??

 

Please post the MBAM2 Daily Protection Log showing the Malicious Website Blocks:

Reference: Malwarebytes Anti-Malware Users Guide - Daily Protection Log

• Please open the Malwarebytes Anti-Malware 2.x (MBAM2) Graphical User Interface (GUI).
• Single left-click History.
• Single left-click Application Logs.
• Left double-click the Protection Log concerning the date when the Malicious Website Protection notice was received.
• Single left-click Export and single left-click Text file (*.txt) from the pull-down menu.
• Enter Malicious in the File name: box, single left-click Desktop, and single left-click Save.
• Close the MBAM2 GUI.
• Please Attach the Malicious.txt file, from your Desktop, to your next reply in this thread.

Thank you.

[ausgumbie]

Hi Noknojon

 

I've attached the txt file requested.

 

Also, (blush), I seem to have have much maligned poor CentralOps.net. Instead of just entering the 10-digit IP address, I'd added "23" (You'll probably see why when you inspect the file - the snooper is the last four entries). No wonder neither search-engine could cope with a 12-digit "address"!

 

However, if you feel like giving the CentralOps.net searcher a try yourself, you'll note it does give rather more fulsome details now.

 

Nonetheless, if you guys have more info on this particular snooper, or at least can interpret what sort of a site it is, I'd still be very grateful. I wouldn't mind knowing who's so desperate to get to know me better - even if I don't particularly want to know them.

 

Many thanks

 

ausgumbie

Malicious.txt

[1PW]

Hello ausgumbie:

 

Your log strongly suggests that a system, in mainland China, is attempting to open a Telnet connection with your system, or testing your system's TCP port 23 to see if it is open.

 

If these incoming attempts are completely unexpected and undesired, then the Malwarebytes Anti-Malware Malicious Website Blocking module is doing its job nicely and no further action on your part is indicated.

 

As experience shows, when unsuccessful, these attempts stop with the passage of time.

 

HTH