I really hope these are FPs, Website blocked due to Trojan/compromise

[PSYKO]

hi there, 

i host a very small server for me and my mates to play on. i run it off an old PC that i had sitting around and thought i may as well use it for something!

recently i have started getting real time blocking events happening, "website blocked due to Trojan" or "website blocked due to compromise" the port and exe that they are coming through to is the game exe that the WebUI uses to connect to the PC to control the server, the IPs that the events are coming from are different, and they happen at random times

 

as you can imagine this is freaking me out somewhat, i am hoping someone here can shed light on the matter

here are the exported log files

Spoiler

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/1/22
Protection Event Time: 3:39 PM
Log File: 7361d3b2-f8ef-11ec-8ee0-c86000c39830.json

-Software Information-
Version: 4.5.10.200
Components Version: 1.0.1709
Update Package Version: 1.0.56605
License: Premium

-System Information-
OS: Windows 10 (Build 19044.1766)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 179.43.155.172
Port: 8088
Type: Inbound
File: C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe

(end)

------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/1/22
Protection Event Time: 2:53 PM
Log File: edd8678e-f8e8-11ec-8ff5-c86000c39830.json

-Software Information-
Version: 4.5.10.200
Components Version: 1.0.1709
Update Package Version: 1.0.56605
License: Premium

-System Information-
OS: Windows 10 (Build 19044.1766)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: 
IP Address: 46.249.32.102
Port: 8088
Type: Inbound
File: C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe

(end)

do they look like FPs? or do i need to freak out?

i should note that these events do not happen when the server exe is not running,

 

 

I'm not sure whats going on,

 

cheers guy

 

[thisisu]

Hello,

I believe the problem is that the game uses peer to peer technology and one of the servers that it's trying to connect to is compromised with malware. That's what we're currently blocking:

Here are some of the files being hosted on the server.

Regards

[PSYKO]

That k you for taking a look, So this is one of the servers that the game developer uses? Or is this a personal computer that the owner is trying to connect to mine?

 

Should I be forwarding your results to the game devs? 

[thisisu]

55 minutes ago, PSYKO said:

That k you for taking a look, So this is one of the servers that the game developer uses? Or is this a personal computer that the owner is trying to connect to mine?

 

Should I be forwarding your results to the game devs? 

You're welcome. I really don't know the answer to your second question, but it sounds like the game connects to several different IP addresses to attain/download the game's content, some of which may also be hosting malware. These things usually clear up rather quickly and we'll be able to unblock affected IPs.

 

Quote

Or is this a personal computer that the owner is trying to connect to mine?

This doesn't sound likely, especially if this is only occurring when you are trying to play a P2P type of game.

I'll leave a quote by @Porthos as topics like yours pop up often on Steam games.

Quote

As for why Malwarebytes blocks Steam, Epic and other games, this is because Steam is Torrent based software, are what are known as Peer-to-Peer (P2P) applications meaning it connects to many different servers/IP addresses (this is how files are downloaded through Torrent based software) and because of this, sometimes Torrent based software will connect to a server that is also known for hosting malicious content.  This is because servers/IP addresses are often shared by multiple sites, so while what you are Playing/downloading through Torrent based software may be perfectly safe, some of the sites hosted on some of the IP addresses that Torrent based software connects to may be malicious.  Such connections are not a threat however, and you may exclude Torrent based software from the Web Protection component in Malwarebytes to stop the blocks from happening without compromising your protection (your web browser and other critical web facing programs will still be fully protected from malicious websites and other malicious content).  To do so, add the game exe to your exclusions using the method described under the Exclude an Application that Connects to the Internet section of this support article.

I hope it helps :)

[PSYKO]

Thank you so much, would this still be the case with a game that's not on steam or epic or anything like that? 

Im not sure if DCS world uses any of the same technology, I do know however that the port that the sites are coming through is the WebUI, which allows control of a server remotely. Ie, Change a mission

I that concisered P2P? I'm not well versed in all this sort of stuff

Just want to try understand as much as I can, don't get me wrong, I would rather mbam block every thing it possibly can, as agressively as possible! just need to make sure my network stays as safe as possible 

 

One of the reasons Iove mbam! So good

[PSYKO]

Sorry for being such a needy muppet, thank you for all your knowledge and wisdom 

[thisisu]

1 hour ago, PSYKO said:

I that concisered P2P? I'm not well versed in all this sort of stuff
 

Honestly I am not sure. I'll leave the topic open in case they have more insight. :)

[PSYKO]

Sounds good, I'll post link here on their forums, might be good for info 

[Porthos]

You can add the game to play mode where the IP's will be blocked but not interrupt the game. https://support.malwarebytes.com/hc/en-us/articles/360038518074-Hide-Malwarebytes-notifications-using-Play-Mode-