Jump to content

Possibly malicious IP detected

PairedPrototype
 Share

Recommended Posts

PairedPrototype

PairedPrototype

Posted
Posted

Hi guys, I was just casually browsing Facebook when Malwarebytes popped up and said it blocked a connection to this IP:

193.109.69.15 

It was coming from svchost.exe which is a system process from what I'm aware of and there's multiple instances of it running under various account levels which I find pretty normal, but I don't get why MBAM blocks it, even if I try connecting to it through my browser MBAM blocks that too, it also blocks me attempting to ping it as well. 

VirusTotal says it's clean, and I'm not the first to send it in for a scan either. WHOIS lookup says it's based in Russia currently, and Google has like nothing on details about it which makes me a little uneasy...

I'm currently doing a full system scan, which usually comes out clean, but maybe it will find something? Anyway, does anyone know what might be on the other end? And is it a false positive? 

Also just to clarify, I don't have anything like torrenting software running or other P2P connections, that I'm aware of at least. 

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello PairedPrototype:

Your previous post's information requires some supplemental clarity and additional detail.

Please post the Daily Protection Log pertaining to the Malicious Website Blocks you're reporting:

Reference: Malwarebytes Anti-Malware Users Guide - Daily Protection Log

  • Please open the Malwarebytes Anti-Malware (MBAM) Graphical User Interface (GUI).
  • Single left-click History.
  • Single left-click Application Logs.
  • Single left-click the Protection Log pertaining to the last date when the Malicious Website Blocking notice(s) were seen.
  • Single left-click Export button, and single left-click the Text file (*.txt) choice from the pull-down menu. (NOT the XML file (*.xml) entry.)
  • Type Malicious in the File name: box, then single left-click Desktop, and single left-click its Save button.
  • If a system File saved message box appears stating "Your file has been successfully exported.", single left-click its OK button.
  • All 3 MBAM windows may now be closed.
  • Please Attach the Malicious.txt file, from the system's desktop, to your next reply in this topic's thread.

Thank you for your patience and understanding.

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello again PairedPrototype:
 

Malicious Website Blocked Pop-ups


Example:

Websiteblocked.png

Reference: Malwarebytes Anti-Malware Users Guide - Malicious Web Site Blocked

Malicious Website Blocked pop-ups are caused by:

More information about MBAM Home (Trial/Premium) Malicious Web Site Module is in the Help Desk topic What does it mean when I get an alert that Malwarebytes Anti-Malware has blocked a malicious site?, and in the FAQ - Section G - Malicious Website Blocking.

The above also contains instructions on how to determine what process might be trying to make the connections. A URL/IP in question may be researched at IP Address Lookup (IPv4 & IPv6) or similar.

If it is believed the URL/IP blocks are false positives, then please read Important: Please Read Before Reporting A False Positive before starting a new topic in the False Positives - Website Blocking sub-forum.

Or if it is suspected that the system in question might be infected, based on the URL/IP blocks and/or other suspicious system behaviors, then please read the following for the available options to request a malware removal expert assist with the cleaning process Available Assistance For Possibly Infected Computers.

 

Though based now on mostly minimal information, it is doubtful that the system in question is comprimised. If the IP address/URL in question had proven in the past to be the source of adware/malware/badware and/or unsavory behaviors, then this is the reason why the MBAM Malicious Web Site Module is blocking access. In the case of inbound attempts these will usually and eventually stop after repeated, unsuccessful access.

 

Thank you.

Link to post
Share on other sites
PairedPrototype

PairedPrototype

Posted
  • Author
Posted

Hello again PairedPrototype:

 

Malicious Website Blocked Pop-ups

Example:

Websiteblocked.png

Reference: Malwarebytes Anti-Malware Users Guide - Malicious Web Site Blocked

Malicious Website Blocked pop-ups are caused by:

More information about MBAM Home (Trial/Premium) Malicious Web Site Module is in the Help Desk topic What does it mean when I get an alert that Malwarebytes Anti-Malware has blocked a malicious site?, and in the FAQ - Section G - Malicious Website Blocking.

The above also contains instructions on how to determine what process might be trying to make the connections. A URL/IP in question may be researched at IP Address Lookup (IPv4 & IPv6) or similar.

If it is believed the URL/IP blocks are false positives, then please read Important: Please Read Before Reporting A False Positive before starting a new topic in the False Positives - Website Blocking sub-forum.

Or if it is suspected that the system in question might be infected, based on the URL/IP blocks and/or other suspicious system behaviors, then please read the following for the available options to request a malware removal expert assist with the cleaning process Available Assistance For Possibly Infected Computers.

 

Though based now on mostly minimal information, it is doubtful that the system in question is comprimised. If the IP address/URL in question had proven in the past to be the source of adware/malware/badware and/or unsavory behaviors, then this is the reason why the MBAM Malicious Web Site Module is blocking access. In the case of inbound attempts these will usually and eventually stop after repeated, unsuccessful access.

 

Thank you.

 

My system was fresh installed only 2 weeks ago, and I'm always a careful browser. I know a fair amount about security so I can usually identify something that is malicious, however this doesn't appear to be, but it is slightly odd. It was also this one that appeared first three times in a row. 

 

Detection, 18/08/2015 02:54, SYSTEM, PROTOTYPE-PC, Protection, Malicious Website Protection, IP, 193.109.69.15, 5061, Inbound, C:\Windows\System32\svchost.exe

The outbound ones are me trying to figure out what it was, or who/what this IP is allocated to. My system appears to be clean of Malware and I always update the latest patches when avalible. 

Like I said in my initial post, I don't have any P2P programs running and I don't have Skype on my PC either. I'm guessing this may just be a false positive then, but I'm still a little baffled and what to figure out why my PC was trying to connect to this unknown IP address. I'll try to do a bit more digging and will update you if I find anything. 

Thnaks.

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello again PairedPrototype:

 

The research and investigation that produces an entry in the MBAM databases is quite thorough. Therefore the Malicious Web Site block was warranted and likely has nothing to do with the system's content or a user's browsing habits in this case. In other words MBAM Premium was protecting that system from a random inbound access attempt and no further actions are required on your part. One remaining possibility, of low probability, is that an erroneous access attempt was made to make a secure VoIP connection to your system.

 

The best advice is to file this incident for now.

 

Cheers

Link to post
Share on other sites
PairedPrototype

PairedPrototype

Posted
  • Author
Posted

Okay, so I've done a small bit of digging and found that the IP is owned by a Russian company (or at least hosted in Russia) called HostKey, they offer VPS and Dedicated Servers too. A reverse DNS lookup shows that the IP points towards this website
 

ristorantegaia.it

And fear not, MBAM also blocks this site, though when I put it through VT, it also came out clean just like the IP did. After temporarily adding the IP to the exclusion list, my computer can't seem to connect to the website, pings are successful though and pinging the website resolves to the above IP address so I guess that confirms the reverse DNS lookup was correct. I've searched the MBAM website blocking forum for both the website and IP but there's no results for either. I feel reluctant to post this in there because it does seem a little fishy at least... 

Link to post
Share on other sites
1PW

1PW

Posted
Posted

Hello again PairedPrototype:

 

IMO the access attempts you experienced are not false positives and the advice I sent to you still stands.

 

The MBAM Home Trial/Premium edition Malicious Web Site Module is doing its job and great caution should be exercised in pinging or attempting to connect to that URL/IP address. A negative VirusTotal investigation of same is neither surprising nor unexpected as inactive/absent malicious processes, emails or intent would not be detectable.

 

Further action, regarding that URL/IP address, on your part is not currently indicated.

 

HTH

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept