Malicious IP address 89.28.28.79 blocked

[Andy Spragg]

I don't think this is a false positive - I think it's genuine - what I am wondering is what I did to make the blocking necessary. Here's what happened. I had been browsing http://www.thompson-morgan.com/potatoes1/index.html for a few minutes and clicked to go to another page. Then in (I think) this order:

- I got a "this page contains no data" page

- the wireless network connection popped up a system tray message saying it was now connected

- Malwarebytes popped up a system tray message saying it had blocked access to malicious IP address 89.28.28.79 (I'm pretty sure that was the exact wording)

- I refreshed the page I was trying to view and all was well

I whoisd the IP address and it resolved to StarNet in the Republic of Moldova!?

I don't understand several things:

- I wasn't trying to gain access to that IP address. Could it have been the other way round i.e was I being probed by that IP address?

- why did the connection get temporarily severed?

- what actually happened?

Now we have the new IP address blocking feature, perhaps a sticky giving some background on the topic would be a good idea. I for one am nowhere near well enough clued up on the way computers reach out to one another, bidden or otherwise.

Andy

[exile360]

Greetings Andy .

It's likely that there was an ad or link on the page you navigated to that had been hacked to lead to the malicious IP, I've seen this occur many times in the past. If you'd like further info about the IP Protection module please have a look at this topic.

If you need anything else, just post.

[Andy Spragg]

Greetings Andy .

It's likely that there was an ad or link on the page you navigated to that had been hacked to lead to the malicious IP, I've seen this occur many times in the past. If you'd like further info about the IP Protection module please have a look at this topic.

If you need anything else, just post.

That's a useful link for purposes of explaining broadly what MBAM's IP blocking capability does, but it falls short of explaining how it might come to be necessary. No criticism implied. Let's accept your hypothesis. I don't understand things like ... if I don't click on the ad or link, how does my PC end up trying to connect to the malicious IP, unbidden by me?

Andy

[exile360]

No criticism taken . You're curious and I don't see that as a bad thing at all.

if I don't click on the ad or link, how does my PC end up trying to connect to the malicious IP, unbidden by me?

Lets say it's an ad, if it is, then the ad dispays content on the web page you're viewing. In reality, the contents of the ad itself is not from the website you're actually viewing, it's contents come from a different IP address. This is how google ads and all other ads work. The same is often true of links to other pages or to other parts of the website, especially if someone has hacked the site in question (the safe site) and embedded a link to malicious content with the intent of infecting the safe site's visitors. It happens quite often unfortunately, I've even seen it on MSN, one of Microsoft's own sites, although admittedly that was very long ago.

[mountaintree16]

@ Exile

re:

hacked the site in question (the safe site) and embedded a link to malicious content with the intent of infecting the safe site's visitors.

I hope that these get resolved as soon as they are known, but that doesn't help the people that get infected in the meantime

[AdvancedSetup]

They happen all the time and often there is very little recourse or ability to correct it. Revolving ads are a way of life on the Internet as are bot controlled servers and desktops. The owner of the site would have to know and want to change or block such ads.

[mountaintree16]

@ Ron

Very true. :/ I would think that the site owner would want to resolve it though, especially if its a much-used website and/or respected, well known site and/or business.

[YoKenny1]

Every 3.6 seconds a website is infected

Angela Moscaritolo July 22, 2009

Infected websites have been the single biggest threat over the past six months, and the threat vectors that have seen the most growth are Web 2.0 and social networking technologies, according to the report, which was released Wednesday by security firm Sophos.

http://www.scmagazineus.com/Every-36-secon.../article/140414

New York Times infected with fake adds

14 Sep 2009 at 10:57 by jelmer

https://root.cd/news/16

Keep your anti virus and anti malware applications up to date.

[Andy Spragg]

Very true. :/ I would think that the site owner would want to resolve it though, especially if its a much-used website and/or respected, well known site and/or business.

Well, in this case it is a very respectable company, and I'm quite sure they would want to know if their site had been hacked - but how do I know whether or not it was a false positive? The MBAM IP blocking false positive issue is pretty hot at the moment, isn't it ... indeed, I wonder how one can ever know whether a blocked IP address is a FP or not? In this case, on the face of it, it seems unlikely that a traditional British company would have their website partially hosted in Moldova (*) - but why not, I mean global village and all that, and I presume even genuine ads are linked from other websites rather than all residing on the host server?

Why did the connection get temporarily severed? I've had other alerts that didn't result in a severed connection.

PS I've just been looking at the website again to see if I could reproduce the problem. So far no, BUT I have found the Moldovan connection! I was looking at a page about autumn-planted onions, shallots and garlic, and one of the three varieties of garlic, which had a link (on which I clicked last time), is Purple Moldovan. Needless to say, that crucial fact was the last thing on my mind when I was whoising the IP address - but it now seems reasonable that at least a bit of the site might emanate from Moldova. So it starts to seem a bit more likely to be a FP, doesn't it?

[yardbird]

Andy! I would post this in this forum: http://www.malwarebytes.org/forums/index.php?showforum=42

I'm sure you know the way you might get answer to your question in there. good luck.. cheers...

[Andy Spragg]

Andy! I would post this in this forum: http://www.malwarebytes.org/forums/index.php?showforum=42

I'm sure you know the way you might get answer to your question in there. good luck.. cheers...

Hi,

Yes, I know of that forum, but it doesn't seem to me to be the right one. AIUI, that forum is specifically for reporting known false positives. I tried posting once to ask whether an alert was a false positive or not, and I got told, by no less a person than Ron himself:

"This is not a general forum for posting Andy. That is why your post was moved.

Staff and Experts are here to respond to user requests for concerns over a False Positive. If you have one yourself that you're reporting, even if its the same IP then you need to create your own post."

So until I know for sure I hve a FP, I shan't be posting there again. Which probably means I shan't be posting there at all

[swagger]

I think you are mistaken.... Andy... I think that section of the forum is for users who think they have a false positive and want to confirm it and get it fixed... You don't have to absolutely know it's an f/p before posting but it's good to be somewhat sure. I'm sure you won't listen to me though

[Andy Spragg]

@swagger

<luddite mode>

Does this new-fangled twittery @prefixing actually do anything, other than indicate a sort of hybrid between post and private message?

</luddite mode>

OK, I'm listening. My posts do wax a bit philosophical at times; I'll try the other forum and confine myself to the FP angle . But this here is a forum for general issues with MBAM, and I'd still like to know why the connection was temporarily severed when the IP address was blocked. That's fair game for this forum, isn't it?

[exile360]

Hello again Andy .

MBAM blocked that IP that it identified as malicious based on it's current database. To identify the source, or indeed whether the site itself were hacked, would require whoever runs the site to check their own server and check the code behind their own pages. If this has happened, which based on your reports indeed appears to be a possibility, then you or someone who has contact with them should inform them so they can make sure that everything is secure and that if there was an issue, that it has now been corrected. I discovered a nasty in an ad on MajorGeeks once (one of my favorite and most trusted sites), and reported it to their admins and they took care of it immediately. This stuff does happen, all too often these days unfortunately as the malware makers aren't waiting for the PC's to come to their nasty parts of the web anymore, they want to hit everyone they can, even when their guards are down and they're browsing sites they know to be safe.

[Andy Spragg]

The bit of my keyboard that writes "why the connection was temporarily severed when the IP address was blocked" seems not to be working. That's three times I've typed it now and it seems to be invisible to everyone except me Are you saying that blocking a malicious IP requires the connection to be temporarily severed?

[exile360]

No, it only blocks access to that website. If you lost your internet connection then something else would be the cause as MBAM has no facility to do so.

[Andy Spragg]

No, it only blocks access to that website. If you lost your internet connection then something else would be the cause as MBAM has no facility to do so.

OK, thanks!

[exile360]

You're welcome . Hopefully MysterFCM will answer your topic in the FP forum and let you know what maliciousness is related to the IP that was blocked. If it was one that serves malicious scripts, driveby downloads or browser exploits then it would be exactly the type to be used in hacking it's own code into a legit site.