Jump to content

Question: MBAM Inbound block of malicious website IP 188.209.52.39


Recommended Posts

Good afternoon everyone,

 

     As always...I'm glad to see MBAM Premier's Malicious Website Blocking is quite obviously doing its job as well as ever!  :) 

 

I'm inquiring about the MBAM log excerpt pasted below.  (The MBAM pop-up alert appeared a short time ago while I was off-line). 

 

------------BEGIN LOG EXCERPT TEXT--------------

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Detection, 11/12/2015 1:48 PM, SYSTEM, PETEADMIN-PC, Protection, Malicious Website Protection, IP, 188.209.52.39, 0, Inbound,
Detection, 11/12/2015 1:48 PM, SYSTEM, PETEADMIN-PC, Protection, Malicious Website Protection, IP, 188.209.52.39, 0, Inbound,
(end)

 

-----------END OF LOG EXCERPT TEXT---------

 

When I checked the IP address (188.209.52.39) at Hphosts, it is shown as green.  Only a red notation about the IP PTR not resolving is all I see there.  I checked the IP at VirusTotal, IPvoid, and Securi, but nothing suspicious is noted.

 

My question:  What kind of "intrusion", is this, since it shows no port, nor did it indicate anything beside "Process" in the MBAM alert pop-up?

 

Thank you for your time and any enlightenment!

 

EE

Link to post
Share on other sites

Hello Eagleeye:

 

Please try a simple ping test of the IP address above.

 

That IP address block may have been recently removed via a MBAM database update since yesterday and you will likely not "see" any more MBAM Premium Malicious Website Protection block pop-up messages.

 

Still - it does not explain why a pentester's IP address in Romania was seeking access to your system in question though.

 

Thank you.

Link to post
Share on other sites

Hi 1PW and thanks for your reply!

 

I did the ping of the IP address mentioned in my OP from the Command Prompt window.  I've attached a screenshot of what was shown when the ping completed.  At the time the ping was being done, MBAM displayed another pop-up alert...only this time the block was listed as OUTBOUND, port number 8, but again - no Process was shown.  (The log excerpt & screenshot are shown below):

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Detection, 11/13/2015 4:42 PM, SYSTEM, PETEADMIN-PC, Protection, Malicious Website Protection, IP, 188.209.52.39, 8, Outbound,
Detection, 11/13/2015 4:42 PM, SYSTEM, PETEADMIN-PC, Protection, Malicious Website Protection, IP, 188.209.52.39, 8, Outbound,
(end)

 

post-103625-0-82165400-1447452340_thumb.

 

Thanks again for your time and feedback!

 

EE

Link to post
Share on other sites

Hello Eagleeye:

 

Oddly enough, I am now seeing what you have seen all along. I have checked using several physical systems where the MBAM database is at 2015.11.13.8

 

I will now contact a knowledgeable Malwarebytes staffer and report back on the continued validity of that Malicious Website Protection block.

 

Thank you Eagleeye.

Link to post
Share on other sites

Hello Eagleeye:

 

The Malicious Website Protection block has been removed from the MBAM databases for IP = 188.209.52.39 = 0xdemon.com because the block is no longer warranted per a Malwarebytes staffer.

 

This still does not explain your original observations though. In the future if you detect that more access attempts are seemingly originating from 188.209.52.39, you may wish to capture as many complete inbound packets as you are able using Wireshark. Perhaps after a thorough packet analysis, additional enlightenment will result.

 

If access attempts persist and you simply wish to forbid intrusion from 188.209.52.39, I am confident you are familiar with the relevant firewall and/or HOSTS file defensive entries.

 

Thank you Eagleeye.

Link to post
Share on other sites

Much obliged for your respective follow-up replies, 1PW and FF! :)

 

I only posted here because I did not feel the two MBAM alerts I received were FP's.  I just wasn't sure exactly what the significance of them were.  Given each of your well-known levels of expertise and knowledge about such issues here in the Forums, I will simply defer to your analyses and feedback, and leave it at that.

 

Thanks very much again for your time and help!  (Topic may be closed at your convenience).

 

EE

Link to post
Share on other sites

Your quite welcome, glad we could help....

 

Normally they do not close topics here at this forum...

 

As for not know if something is a false positive or not, its hard to tell at first glace, this is why we post in the false positive section, they will confirm if it is or is not, and let us know accordingly....

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.