Transient block of remove.video 104.18.53.237 ports 6912 and others

[grahamperrin]

Spun off from https://redd.it/dtx5ez

Quote

For the past 2 weeks I have been getting this warning for every single website. Ports and IPs vary slightly. …

Shared by /u/17_4PH_SS

Domain:     remove.video
IP Address: 104.18.53.237
Port:       6912
Type:       Outbound
File:       C:\Program Files\Waterfox\Waterfox.exe

Around the same time, I found blocks on web browser connections to remove.video

A frame from a recent screen recording (2019-11-10 05:22:05 UK time):

It seems to me that blocks on http and https traffic were lifted around the time of the recording.

Now:

remove.video — Coming Soon - https://remove.video/

– comprises just two visible lines. The address of the site, plus:

Powered by VESTA - https://vestacp.com/

– and the foot of the VESTA Control Panel page includes a link to https://github.com/serghey-rodin/vesta where I find nothing obviously relevant to remove.video or remove video.

According to https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=102 port range 6902-6934 is unassigned.

Please, can someone at Malwarebytes advise re: the origins, and apparent lifting, of this block?

I might add a cross-referencing issue in the GitHub area for Vesta Control Panel.

Thank you

[AdvancedSetup]

I have submitted the site for review.

Thanks

 

[grahamperrin]

Thanks, by coincidence a seconds before your reply I revisited and found it blocked for both http and https

[grahamperrin]

 

[Dashke]

Hi grahamperring,

There is a suspicious script that they are hosting here -

remove.video/ffmpeg/index.js

Can you please list your extensions here?

[grahamperrin]

Hi

Thank you for identifying the script.

I am not the affected user, the first link in the opening post should help to put things in context.

In the Reddit discussion, the affected user lists three extensions.

For two of the three, the IDs are not immediately suspicious.

For the third (see my previous post here) I hope that the user can tell us the origin.

[ottersea]

I am getting the same exact error. What is it and how do I get rid of it as it is annoying popping up all the time

[alvarnell]

4 hours ago, ottersea said:

What is it and how do I get rid of it as it is annoying popping up all the time

According to Post #5, it’s a suspicious script hosted by the site. To get rid of it, you’ll have to avoid visiting that site until / unless it’s removed or deemed harmless.

[grahamperrin]

13 hours ago, ottersea said:

I am getting the same exact error. …

Can you let us have troubleshooting information?

Use the Copy text to clipboard button at:

• about:support

[ottersea]

1 hour ago, grahamperrin said:

Can you let us have troubleshooting information?

Use the Copy text to clipboard button at:

• about:support

What do you mean by troubleshooting info? All I get is a popup exactly like the one in the first post.

[grahamperrin]

1 hour ago, ottersea said:

What do you mean by troubleshooting info?

Menu ▶ Help ▶ Troubleshooting information

I'd like to know what extensions you use. Text (not raw data) from the Troubleshooting information page is the neatest way of gathering this type of information.

[ottersea]

I am running windows 7 where is clipboard?

 

 

[ottersea]

Do not know if this is what you are looking for.

 

 

text.txt

[grahamperrin]

Perfect. Thanks, ottersea.

 

[ottersea]

Good. Hope it gets straightened out as it is annoying as heck.

[grahamperrin]

ottersea, please try:

1. methodically disabling extensions; then
2. re-enable one-by-one until the annoyance recurs – and be patient with testing (see below).

For what it's worth, you might focus first on extensions that supposedly help with YouTube. From https://blocked.cdn.mozilla.net/ it's clear that disreputable developers take advantage of people's interest in things such as Adobe Flash and YouTube.

Also consider:

• dates of installations of extensions
• dates of updates to installed extensions

– does any date loosely coincide with beginning of the annoyance?

Patience

Yesterday's https://bugzilla.mozilla.org/show_bug.cgi?id=1598242 was (for example) for an offending YouTube-oriented extension that did not always cause presentation of offending content.

In your case: if there's an offending extension, you should not expect the annoyance to recur immediately (or soon) after re-enabling the extension.

Identification

If you do positively identify an offender, it might help to leave it disabled – not remove it – with a view to reporting the extension to Mozilla.

Thanks

[ottersea]

Are you talking about the extensions on Firefox? If so this is also happening in Internet Explorer.

[grahamperrin]

2 hours ago, ottersea said:

Are you talking about the extensions on Firefox?

Yes.

Do you have any Internet Explorer add-on?

[grahamperrin]

Briefly (I might explain more at a later date):

• the unexpected alerts for a blocked site, when not knowingly visiting the site, can occur through normal about:newtab behaviour in browsers such as Mozilla Firefox, Waterfox Classic and Waterfox Current.

Screen recording below, around nine minutes long. Focus on the Top Sites feature of Firefox Quantum.

I do not yet have a reasonable explanation for the ottersea case (Internet Explorer).

I have a much longer recording but for now, I'll not share publicly (it exposes a weakness in Malwarebytes Premium for Windows – beyond the scope of this topic).