Jump to content

91.214.44.139 and some others


Swinden

Recommended Posts

Strangely enough since some weeks there are pop-ups from Malwarebytes, blocking websites which do not seem particularly dangerous. They appear ad random, whether I'm browsing or not; they even appear just after booting my system.

91.214.44.139 and 91.214.44.133 - Avast.com

94.130.129.239 and 94.130.129.135 - your-server.de (organisation Hetzner Online GmbH)

54.209.95.155 - Amazonaws.com

When I tried to find out more about these URLs in the little program ipscan25 these pop-ups appeared continuously after eachother.
Finally I could learn more about them with https://centralops.net/co/DomainDossier.aspx

 

Link to post
Share on other sites

Thanks, MysteryFCM.
Here are the log-files of the blocked website 91.214.44.139. The URL 91.214.44.133 points to the same domain name so I'll leave that alone, unless you want to see it : 

Malwarebytes
www.malwarebytes.com

-Logboekdetails-
Datum beveiligingsgebeurtenis: 20-10-17
Tijd beveiligingsgebeurtenis: 13:37
Logbestand: 0169a4bc-b58b-11e7-9a93-fcaa1405ffb8.json
Beheerder: Ja

-Software-informatie-
Versie: 3.2.2.2029
Versie componenten: 1.0.212
Update pakketversie: 1.0.3051
Licentie: Premium

-Systeeminformatie-
Besturingssysteem: Windows 10 (Build 15063.674)
Processor: x64
Bestandssysteem: NTFS
Gebruiker: System

-Details van geblokkeerde website-
Kwaadaardige website: 1
, , Geblokkeerd, [-1], [-1],0.0.0

-Websitegegevens-
Domein:
IP-adres: 91.214.44.139
Poort: [58631]
Type: Uitgaand
Bestand:

(end)

 

Here the log of IP-adres 54.209.95.155

Malwarebytes
www.malwarebytes.com

-Logboekdetails-
Datum beveiligingsgebeurtenis: 06-10-17
Tijd beveiligingsgebeurtenis: 18:47
Logbestand: 06bd55d8-aab6-11e7-ab7c-fcaa1405ffb8.json
Beheerder: Ja

-Software-informatie-
Versie: 3.2.2.2029
Versie componenten: 1.0.207
Update pakketversie: 1.0.2963
Licentie: Premium

-Systeeminformatie-
Besturingssysteem: Windows 10 (Build 15063.632)
Processor: x64
Bestandssysteem: NTFS
Gebruiker: System

-Details van geblokkeerde website-
Kwaadaardige website: 1
, , Geblokkeerd, [-1], [-1],0.0.0

-Websitegegevens-
Domein: katie.tnctrx.com
IP-adres: 54.209.95.155
Poort: [64716]
Type: Uitgaand
Bestand: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

(end)

 

Here the log of 94.130.129.239, IP-adres 94.130.129.135 points to the same domain name so I'll leave that alone too for the time being:

Malwarebytes
www.malwarebytes.com

-Logboekdetails-
Datum beveiligingsgebeurtenis: 09-10-17
Tijd beveiligingsgebeurtenis: 18:50
Logbestand: 037bf74a-ad12-11e7-bdf2-fcaa1405ffb8.json
Beheerder: Ja

-Software-informatie-
Versie: 3.2.2.2029
Versie componenten: 1.0.207
Update pakketversie: 1.0.2981
Licentie: Premium

-Systeeminformatie-
Besturingssysteem: Windows 10 (Build 15063.632)
Processor: x64
Bestandssysteem: NTFS
Gebruiker: System

-Details van geblokkeerde website-
Kwaadaardige website: 1
, , Geblokkeerd, [-1], [-1],0.0.0

-Websitegegevens-
Domein: coinhive.com
IP-adres: 94.130.129.239
Poort: [51685]
Type: Uitgaand
Bestand: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

(end)

 

Edited by Swinden
Link to post
Share on other sites

I found this about the domain coinhive.com: https://blog.malwarebytes.com/security-world/2017/10/why-is-malwarebytes-blocking-coinhive/
That explains a lot.

For the domain katie.tnctrx.com  are also a lot of warnings, I should have noticed all of this earlier.

These blockings came in the same period as 91.214.44.139 and 91.214.44.133, which seem to point at Avast, moreover DomainDossier gave completely different domain namens of the other URLs, hence my confusion and questions.

Edited by Swinden
Link to post
Share on other sites

8 hours ago, MysteryFCM said:

These aren't F/P's. These are legit blocks (not sure where you're seeing Avast.com however, as it resolves to IPs in the 77.234/16 range)

So what does this mean? Is my pc infected? Neither avast nor malware finds anything.

https://centralops.net/co/domaindossier.aspx this website shows the ip in OPs title ends in avast.com 

 

Link to post
Share on other sites

Apologies for the delay.

I've re-checked them again and it does indeed appear as though Avast are now using 91.214.44.139 and 91.214.44.133. I'm removing the blocks on these IPs.

The remaining IPs however, whilst owned by Hetzner and Amazon, aren't actually used by them, but by third parties.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.