Jump to content

IP Block and what to do...

Pcfrog
 Share

Recommended Posts

Pcfrog

Pcfrog

Posted
Posted

Under the FAQ Section G, IP Protection Module it says

"What does this notification mean?

This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address. If this notice was presented when you were not actually doing anything on the machine, then I suggest having your computer looked at"

I got the below logs today and from past few days but a full scan comes up with a clean computer. I ran a whois check on the IP address and this is what they came up with. So.... now what and why?

Logs & Ip location:

05:19:50 Administrator MESSAGE Protection started successfully

05:20:33 Administrator MESSAGE IP Protection started successfully

05:53:11 Administrator IP-BLOCK 78.159.112.215

05:53:13 Administrator IP-BLOCK 78.159.112.215

05:53:17 Administrator IP-BLOCK 78.159.112.215

05:53:22 Administrator IP-BLOCK 94.96.6.50

05:53:24 Administrator IP-BLOCK 94.96.6.50

05:53:28 Administrator IP-BLOCK 94.96.6.50

06:18:05 Administrator IP-BLOCK 69.64.155.175

06:18:08 Administrator IP-BLOCK 69.64.155.175

06:18:14 Administrator IP-BLOCK 69.64.155.175

IP Location: Germany Berlin Netdirekt E.k

Resolve Host: 78-159-112-215.internetserviceteam.com

IP Address: 78.159.112.215

Blacklist Status: Clear

OrgName: RIPE Network Coordination Centre

OrgID: RIPE

Address: P.O. Box 10096

City: Amsterdam

StateProv:

PostalCode: 1001EB

Country: NL

___________________________________________________________________

IP Location: United States Bellevue Enom Incorporated

IP Address: 69.64.155.175

SSL Cert: www.ehost-services208.com expires in 66 days.

Reverse IP: 329 other sites hosted on this server.

Blacklist Status: Clear

OrgName: eNom, Incorporated

OrgID: ENOM

Address: 15801 NE 24th Street

City: Bellevue

StateProv: WA

PostalCode: 98008

Country: US

___________________________________________________________________

IP Location: Saudi Arabia Riyadh Dsl Home Subscribers_dynamic Ips

Resolve Host: 94.96.6.50.dynamic.saudi.net.sa

IP Address: 94.96.6.50

Blacklist Status: Clear

OrgName: RIPE Network Coordination Centre

OrgID: RIPE

Address: P.O. Box 10096

City: Amsterdam

StateProv:

PostalCode: 1001EB

Country: NL

Link to post
Share on other sites
Sartori

Sartori

Posted
Posted

Not really much to do here, it blocked an IP address either from the site or from a list of addresses from somebody thats hosting Malicious sites...

Is the block showing up while you are surfing?

Like the description said, if its popping up while the computer is sitting idle, then you have a problem. And you did a full scan which didn't come up with anything so..

I believe your okay...

Link to post
Share on other sites
Pcfrog

Pcfrog

Posted
  • Author
Posted
Not really much to do here, it blocked an IP address either from the site or from a list of addresses from somebody thats hosting Malicious sites...

Is the block showing up while you are surfing?

Like the description said, if its popping up while the computer is sitting idle, then you have a problem. And you did a full scan which didn't come up with anything so..

I believe your okay...

Unfortunately it is while the computer is idle. However this is not constant or accrues multiple times through the day, just typically a few hits in a reality short period of time. The computer was on for most of the day and no new issues. A full scan still shows no infections of any type. Makes me wonder if someone is searching for computers with vulnerability.

Link to post
Share on other sites
MysteryFCM

MysteryFCM

Posted
Posted

All 3 IP's are on known malicious ranges, with the first and third being server lines and the second, being a residential IP in Saudi Arabia.

If you're sure it's not P2P software or an infection generating these, I'd ask you please post packet captures so we can identify the traffic causing this.

You can capture the traffic using Wireshark;

www.wireshark.org

Link to post
Share on other sites
Pcfrog

Pcfrog

Posted
  • Author
Posted
All 3 IP's are on known malicious ranges, with the first and third being server lines and the second, being a residential IP in Saudi Arabia.

If you're sure it's not P2P software or an infection generating these, I'd ask you please post packet captures so we can identify the traffic causing this.

You can capture the traffic using Wireshark;

www.wireshark.org

Will try to do so. Thanks...

Link to post
Share on other sites
  • 4 weeks later...
Pcfrog

Pcfrog

Posted
  • Author
Posted

Got it... It took some time but I wanted to get a capture that accrued before checking email or getting on the internet. This capture and IP block accrued 30 min after the computer was started. Now I have another issue related directly to this post.

I can't upload a single file over 10MB but the capture log is 11,064,912 bytes

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept