Jump to content

Blocked IP question


Recommended Posts

Hey all,

It's been awhile. Sorry! I've been lurking though. Anyway, I love the idea of this new IP protection module in 1.40. I have a question though. I was looking at the logs and found that MBAM blocked an IP today from China [218.15.142.41] when I wasnt even here. Steam, firefox, opera, and mirc were running but I wouldn't think any one of them would be contacting something in china. Since the logs don't record the port (maybe in the future?), is there a way I can trace back which program tried to communicate with this IP? I ran a scan with MBAM and it came back clean. Scanning with Kaspersky Online right now.

swagger

Link to post
Share on other sites

The remote address:

218.15.142.41 (41.142.15.218.broad.yj.gd.dynamic.163data.com.cn) (CHINA)

Yes, thank you... I was able to get that via traceroute which is why I said China in my original post.

MBAM logs the IP's blocked, but I do not believe it currently logs the application that tried connecting to it.

Very true by looking at the logs. Hence why I requested MBAM to record ports numbers as well as the IP in the future.

If you're on Vista or Windows 7 then the firewall logs may show it or may be able to be configured to log it.

Unfortunately, this is a XP Pro box that it happened on so I am out of luck there...

By the way, my scan with Kaspersky came back clean last night.

Edit for typo

Link to post
Share on other sites

Another thought, my girlfriend's older son likes to use Limewire/Frostwire against my objection when I'm not around. Is it possible that MBAM sees IPs across the whole LAN? (ie, I'm on 192.168.3.31, he's on 192.168.3.33) I doubt this is the case, but just wondering as I have no other explanation for my computer contacting that chinese IP

Link to post
Share on other sites

It's possible, depending on how the network is configured, but the traffic to/from the other machines on the network, shouldn't be coming anywhere near each other, unless specifically told to.

I'd recommend blocking the Limewire/Frostwire ports at the router :) (won't guarantee stopping it as he can simply change ports, but configuring the router to ONLY allow outgoing ports required, for example port 80 for HTTP, 443 for HTTPS, will reduce his chances of being able to ignore you, which in turn, risks the network)

Link to post
Share on other sites

Yeah, I could probably do that and be relatively fine. Another side effect I have noticed since the new IP protection has been implemented is 5 second delays when accessing certain websites or pinging certain IPs. That needs to become faster in future releases.. I've tested this theory vs without IP protection on and it's definitely related.

Link to post
Share on other sites

Understandable... My router is definitely not a small business router but a high end SOHO router. Either way, I don't think P2P is related to why my desktop computer which is wired to the router and has the paid version of MBAM installed suffers from a significant delay (5 seconds) when trying to access certain websites or while pinging certain IPs.

Link to post
Share on other sites

It's possible, depending on how the network is configured, but the traffic to/from the other machines on the network, shouldn't be coming anywhere near each other, unless specifically told to.

I'm having a similar issue. Could you expand on the possiblity of networked LAN PCs having the IP block triggered? I noticed two different times that the IP Block got triggered without any aparent reason on my PC, but I did have a mapped drive to a PC that had been having a trojan issue. They both seemed to happen right as I logged into my PC, and both trying to reach similar IPs to the above mentioned IP.

Symantec and MalwareBytes scan clean, and I haven't seen any pop ups since I disconected from that mapped drive.

Thanks!!

Link to post
Share on other sites

This specific issue occurs because the packets to and from the infected machine (e.g. DNS [uDP], ICMP etc), are echo'd to the other machines on the network.

Your firewall will be blocking the incoming packets from the other machine, which is why you'll not see them when disconnecting from the mapped drive (the mapped drive provides a connection between the two machines, that will then allow the packets to bounce to/from each other).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.