Jump to content

Recommended Posts

  • Staff
1 hour ago, ComputerFlake said:

 

https://3145783142-my.sharepoint.com/

 

I need my Sharepoint UNBLOCKED! It's crippling my business!

Hello-

We do not show either the domain nor the IP which the domain resides on in our database, was this perhaps a Browser Guard block?

Edited by AdvancedSetup
Disabled live hyperlink
Link to post
Share on other sites

Just now, ComputerFlake said:

Premium 4.5.3

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/31/22
Protection Event Time: 3:57 PM
Log File: d3b82ee4-82e0-11ec-ad2c-c49dedec81a2.json

-Software Information-
Version: 4.5.3.162
Components Version: 1.0.1579
Update Package Version: 1.0.50541
License: Premium

-System Information-
OS: Windows 11 (Build 22000.469)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 3145783142-my.sharepoint.com
IP Address: 37.57.137.208
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(end)

Link to post
Share on other sites

Port scanning is not my issue. This is my issue:

 

The webpage at

 https://3145783142-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllDocuments 

might be temporarily down or it may have moved permanently to a new web address.
ERR_FAILED

As soon as I try to open OneDrive via the web in Chrome, I get this message and the "Blocked due to compromised" error appears. This has to be unblocked somehow.

Edited by AdvancedSetup
Disabled live hyperlink
Link to post
Share on other sites

That may be but sharepoint.com is a Microsoft owned and operated Domain on its own network and 37.57.137.208 is hosted in Ukraine and is unlikely to be a Microsoft Hosted IP.

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites

Well this was really strange. I got it fixed. Turns out the IT guy she had (she's in St Louis and I'm in Nashville so I wasn't onsite) put in a crummy router that was giving out DHCP and it was using itself as DNS. It was faulty so many different sites were not working properly. I gave her a static DNS and everything started working.

I'm aware the IP address was from the Ukraine because I did a reverse lookup on it long before I came here. It was just bizarre that I ONLY got the MB popups when trying to access the OneDrive (Sharepoint) folders in office.com or via OneDrive app. It came up immediately and said site was accessing a compromised site and gave me the Ukrainian IP address. Once I decided to overlook that popup and try something else (such as removing MB entirely) did I notice it still didn't work.

I'm glad it was a network issue because I've never seen MB do that before. What really makes no sense is that she is on a NAT'd internal network so there's an almost ZERO chance a Ukraine IP address could scan her individual computer behind two firewalls. Add the popup message to that scenario and you've got the perfect storm. I'll reinstall MB Premium now and see what happens. I'll probably disable the notifications entirely so it'll continue to work and not totally freak the lady out. She thought hax0rz had gotten to her!

Thanks for the ideas, guys. I appreciate you walking me through the product.

Link to post
Share on other sites

14 minutes ago, ComputerFlake said:

I'll probably disable the notifications entirely so it'll continue to work and not totally freak the lady out. She thought hax0rz had gotten to her!

Be aware disabling notifications will disable all notifications not just web blocks. Sites will still be blocked though.

She would not know about other blocks and think the computer is broken and you will still get a service call.

Edited by Porthos
Link to post
Share on other sites

Thank you

Please realize that many IP Reporting sites show Port Scans and nefarious activities emanating from the POV of the Ukranian hosted TRIOLAN IP as it was performing against remote sites.

I was thinking of a DNS issue.  There have been times where malware has changed the DNS Server entries on PCs to malicious DNS servers.  Thus a Safe Site could be redirected to a malicious site.

I, and others, have never thought DNS Forwarding on NAT Routers was a great idea.  That is the Router gets DNS Servers from the ISP and delivers its Gateway address (such as 192.1681.1 or 10.0.0.1) to DHCP Clients as the DNS server.  For one that introduces another Hop in the DNS query.  If one is to use that on the LAN, then I have always suggested the Router DNS Server Table be statically set to one ISP provided DNS server and the rest being Public DNS Servers such as;

  • Google [ IPv4; 8.8.8.8 ]
  • CloudFlare [ IPv4; 1.1.1.1 ]
  • Level 3 [ IPv4; 4.2.2.1 ] 

on the Router so that IFF the DHCP Client gets the Router Gateway IP address as the DNS Server, the DHCP Client will get good Resolution. 

You will find that, on this Forum, it is suggested to override the DHCP provided DNS Server(s) with statically set Google DNS Servers.

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
  • Like 1
Link to post
Share on other sites

16 hours ago, David H. Lipman said:

I, and others, have never thought DNS Forwarding on NAT Routers was a great idea.  That is the Router gets DNS Servers from the ISP and delivers its Gateway address (such as 192.1681.1 or 10.0.0.1) to DHCP Clients as the DNS server.  For one that introduces another Hop in the DNS query.  If one is to use that on the LAN, then I have always suggested the Router DNS Server Table be statically set to one ISP provided DNS server and the rest being Public DNS Servers such as;

  • Google [ IPv4; 8.8.8.8 ]
  • CloudFlare [ IPv4; 1.1.1.1 ]
  • Level 3 [ IPv4; 4.2.2.1 ] 

I'd say BOTH primary and secundary DNS SHOULD BE configured with public DNS. Avoid errors, DNS hijack, and DNS block (believe me than some ISP do it)

Link to post
Share on other sites

The reason for 1 ISP DNS Server is that sometimes there are internal Internet Provider services that may require their own DNS Server to resolve and provide access for that service.  Thus preventing problems with their network.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.