Connections to 72.21.91.29

[Hornsj2]

Should MB take another look at this IP address?

 

Am I being gas-lighted by this abuseipdb.com  ?  From what I read on this site this is not an issue, but according to that site there is a big problem with this ip.  Are hackers doing social engineering planted reports on that site to freak people out because they know connections to it are widespread?  Or is this really an issue?

I run MB3 on my host.

I have read two other forum posts about this ip address.  One said MB was producing a lot of false positives with Mozilla products on this IP.

 

nslookup ocsp.digicert.com
Server:        127.0.1.1
Address:    127.0.1.1#53

Non-authoritative answer:
ocsp.digicert.com    canonical name = cs9.wac.phicdn.net.
Name:    cs9.wac.phicdn.net
Address: 72.21.91.29

I noticed today that every version of firefox I run, from my windows host running MB, to my two linux VMs show this IP address as having a connection in firefox.  After investigating, I have mixed information about whether or not this IP address should be blocked by MB or if it is really a certificate authority (or whatever you call it).

When I start Firefox  I do lsof (linux) or netstat (windows) and see that it starts a connection to this ip address (a connection which is maintained over port 80).

My extensions are https everywhere, ublock origin, decentraleyes, cookie autodelete.

Given the above information I would be at ease but then I read the reports on this website about people getting hacked through it:

https://www.abuseipdb.com/check/72.21.91.29

Some examples (there are more, and they are all pretty recent)

27 Nov 2018

This guy bought an ssl certificate, BUT... if you run an Nmap scan, you will see that it is just a router, not an ssl server

06 Jan 2019

Secretly records unwanted video and spoofs users on Facebook purporting to be a real person when it is actually a bot. Uses server techniques to create a fake account that can hack into user's personal data without appearing on Facebook. Is determined to exploit servers in order to reveal nudity/other-sexual-content on public social media (e.g. YouTube, Facebook, WhatsApp) to humiliate. Exploits personal information in order to commit extortion by threatening users to give away bank information. The threat includes the user being publicly humiliated/ by accessing personal information, without consent of the user, if he/she does not pay a large sum of money ($8000-10000) to prevent the information from being revealed publicly . Repeatedly contacts the user if the user disconnects from the call/text message, through other forms of social media that the user may be logged into. The user is blackmailed to send a large sum of money through either a fraudulent phone number or email.

22 Feb 2019

This IP was just seen on my Windows system using netstat. Unplugged my router/modem. Why would Verizon be connected to my pc. I've ran scans with Malwarebytes, rogue killer, I've ran rootkit scans and nothing malicious is found. Guess I should wipe the system and start over.

DDoS Attack FTP Brute-Force Fraud VoIP Port Scan Hacking Brute-Force Exploited Host Web App Attack SSH"

[Hornsj2]

I have found when I disable two options under privacy and security in FireFox, these connections go away. "Block dangerous and deceptive content" "Query OCSP responder servers to confirm the current validity of certificates" So I guess it's likely this abuseipdb is being exploited to sow fear?

[Hornsj2]

Would it be a big problem if someone hacked the cert site that Firefox uses to confirm web pages?  Seems like this could make for a widespread problem but admittedly I don't know.

Some people I talk to, and in fact one of my other computers, don't have this ip connection even with those options checked.

[Hornsj2]

Sorry for cross posting this with the other forum section but I think I put it in the wrong place and I didn't now how to move it, or if that is possible.

Should MB take another look at this IP address?

  I run MB3 on my host and on that host + every vm I run off that host (flavors of linux) firefox tries to connect to that site. 

HOWEVER, my laptop is running just linux and it does not exhibit the same behavior with Firefox.  Same flavor as two vms I've looked at on my windows host that is running MB3.  The VM I just created from image does the same thing.  I can't explain it.  What I said in a reply to my own thread in the blocked website section (original thread mentioned above) was that if I turn off two privacy features it stops attempting to connect.  One of them is OCSP responders so maybe that makes sense but the reports of DDOS, hacking, extortion, etc from this IP are pretty alarming.

Am I being gas-lighted by this abuseipdb.com  ?  From what I read on this site (MB) this is not an issue, but according to that (abuseipdb) site there is a big problem with this ip.  Are hackers doing social engineering planted reports on that site to freak people out because they know connections to it are widespread?  Or is this really an issue?

 

I have read two other forum posts about this ip address.  One said MB was producing a lot of false positives with Mozilla products on this IP.

 

nslookup ocsp.digicert.com
Server:        127.0.1.1
Address:    127.0.1.1#53

Non-authoritative answer:
ocsp.digicert.com    canonical name = cs9.wac.phicdn.net.
Name:    cs9.wac.phicdn.net
Address: 72.21.91.29

I noticed today that every version of firefox I run, from my windows host running MB, to my two linux VMs show this IP address as having a connection in firefox.  After investigating, I have mixed information about whether or not this IP address should be blocked by MB or if it is really a certificate authority (or whatever you call it).

When I start Firefox  I do lsof (linux) or netstat (windows) and see that it starts a connection to this ip address (a connection which is maintained over port 80).

My extensions are https everywhere, ublock origin, decentraleyes, cookie autodelete.

Given the above information I would be at ease but then I read the reports on this website about people getting hacked through it:

https://www.abuseipdb.com/check/72.21.91.29

Some examples (there are more, and they are all pretty recent)

27 Nov 2018

This guy bought an ssl certificate, BUT... if you run an Nmap scan, you will see that it is just a router, not an ssl server

06 Jan 2019

Secretly records unwanted video and spoofs users on Facebook purporting to be a real person when it is actually a bot. Uses server techniques to create a fake account that can hack into user's personal data without appearing on Facebook. Is determined to exploit servers in order to reveal nudity/other-sexual-content on public social media (e.g. YouTube, Facebook, WhatsApp) to humiliate. Exploits personal information in order to commit extortion by threatening users to give away bank information. The threat includes the user being publicly humiliated/ by accessing personal information, without consent of the user, if he/she does not pay a large sum of money ($8000-10000) to prevent the information from being revealed publicly . Repeatedly contacts the user if the user disconnects from the call/text message, through other forms of social media that the user may be logged into. The user is blackmailed to send a large sum of money through either a fraudulent phone number or email.

22 Feb 2019

This IP was just seen on my Windows system using netstat. Unplugged my router/modem. Why would Verizon be connected to my pc. I've ran scans with Malwarebytes, rogue killer, I've ran rootkit scans and nothing malicious is found. Guess I should wipe the system and start over.

DDoS Attack FTP Brute-Force Fraud VoIP Port Scan Hacking Brute-Force Exploited Host Web App Attack SSH"

[Malwarebytes]

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven’t already done so, please run the Malwarebytes Support Tool and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

1. Download Malwarebytes Support Tool
2. Once the file is downloaded, open your Downloads folder/location of the downloaded file
3. Double-click mb-support-X.X.X.XXXX.exe to run the program
   • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
4. Place a checkmark next to Accept License Agreement and click Next
5. You will be presented with a page stating, "Get Started!"
6. Click the Advanced tab
   
    
7. Click the Gather Logs button
   
    
8. A progress bar will appear and the program will proceed with getting logs from your computer
   
    
9. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
   
    
10. Please attach the file in your next reply. Before submitting your reply, be sure to enable "Notify me of replies" like so:
       

Click "Reveal Hidden Contents" below for details on how to attach a file:
 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

 

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

• Renewals
• Refunds (including double billing)
• Cancellations
• Update Billing Info
• Multiple Transactions
• Consumer Purchases
• Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

[Hornsj2]

I apologize for putting this in the wrong section of the forums.

[Hornsj2]

You can go ahead and close this. I don't think this is a MB problem and although I'm going to do more analysis of my network, I can't say right now I think I'm infected with anything.

[LiquidTension]

Hi @Hornsj2,

We don't typically close topics in this section of the forum.

Our Research team have reviewed the IP address and determined it is safe.

If you'd like us to double-check your computer for malware, please carry out the steps in post #5.

[Hornsj2]

Hi there. Thank you for the response, and for MB checking that IP address.

I think I did it AGAIN (posted to wrong forum).

I took this section of the forum description "...get advice from tech experts and fellow users. Learn how to optimize Malwarebytes 3 for your needs and ensure it’s doing everything it can to protect you from online threats like spyware, ransomware, and Trojans. ..." to mean it was for generally safety discussion and not for malware removal.

My license is for Malwarebytes 3.x premium for Windows. I did open a thread shortly after my last post to this thread asking for help.

To be honest, I'd like to know if something is on my machine. I've been waiting in the Windows help section for someone to free up. I've already posted there and figured as soon as everyone was done with the obvious infection cases they would pick out my situation. I mean I see over there that some people clearly have problems and maybe I'm just paranoid about malware.

[LiquidTension]

Thanks for the information. I've responded to your topic in the other forum section. We can move any further discussion there.