Jump to content

IP Block Question


Recommended Posts

While I was away from my computer the following three warnings occurred. No web browser was open. Skype and Windows Live Mail were open but not being used.

11:50:33 John IP-BLOCK 89.28.24.180

11:50:41 John IP-BLOCK 89.28.24.180

11:50:41 John IP-BLOCK 89.28.24.180

How would I find out what caused that?

Link to post
Share on other sites

I just got a different IP block, again, no browsers running

13:36:55 John Marg IP-BLOCK 222.64.164.163

13:36:55 John Marg IP-BLOCK 222.64.164.163

13:37:03 John Marg IP-BLOCK 222.64.164.163

13:37:11 John Marg IP-BLOCK 222.64.164.163

13:37:11 John Marg IP-BLOCK 222.64.164.163

Did another scan with MSE, MBAM & SAS, nothing caught, no wierdos in startup, everything listed in Hijackthis accounted for.

Is there any way of determining what was trying to access this site (and the other one in the post above)?

PS I now have MBAM Pro on my two notebooks as well

Link to post
Share on other sites

Hi -

Country China

Country Code CN

Region Shanghai

City Shanghai

Chinese sites - These and Russian are among the most common to cause problems -

Now you can see how MBAM is protecting you from all of these invaders - Prior to this you were open to them and they will keep up until they know you are safe -

Sorry that I can not give the company sites yet , maybe later , as these are quick searches only -

Thanks -

Link to post
Share on other sites

I just got a different IP block, again, no browsers running

13:36:55 John Marg IP-BLOCK 222.64.164.163

13:36:55 John Marg IP-BLOCK 222.64.164.163

13:37:03 John Marg IP-BLOCK 222.64.164.163

13:37:11 John Marg IP-BLOCK 222.64.164.163

13:37:11 John Marg IP-BLOCK 222.64.164.163

Did another scan with MSE, MBAM & SAS, nothing caught, no wierdos in startup, everything listed in Hijackthis accounted for.

Is there any way of determining what was trying to access this site (and the other one in the post above)?

PS I now have MBAM Pro on my two notebooks as well

See: <http://www.robtex.com/ip/222.64.164.163.html#whois>

Do you use any file sharing applications? Do you have any firewall running?

Try downloading/running Mark Russinovich's "TCPView" from Microsoft:

<http://download.sysinternals.com/Files/TCPView.zip>

The following may also shed some light:

<http://download.sysinternals.com/Files/ProcessExplorer.zip>

HTH

Link to post
Share on other sites

Your search - .robtex.com/ip/222.64.164.163whois - did not match any documents
Hi -

I think 1PW means , Just go over all the family computers and check the content of their programs -

It only takes 1 if they are all linked to keep bringing up these items -

I only have 2 and I only hook one at a time up to make sure all is OK - If that one is OK then I check the other -

Once done like this you may isolate the one which is accessing these sites -

Thanks -

Link to post
Share on other sites

No file sharing applications, Windows 7 Native Firewall, Hardware Firewall

Some likelihood exists that the blocked IP addresses might be related to Skype.

Even though you may have dismissed the Skype window from your desktop, you might still be "Online" as far as Skype is concerned.

Under these circumstances, ten or more TCP/UDP ports may show up in TCPView with some showing an "ESTABLISHED" relationship with Skype and IP addresses you are unfamiliar with. These could be Instant Messaging (IM) probes.

As a test, you may wish to go to the system tray and right click on the Skype icon and change online status to offline or better yet, Quit Skype altogether.

If MBAM still notifies you of blocked IP addresses, on an otherwise idle system, they are related to yet another system process and will require further investigation. You may also wish to confirm that your version of Skype is at least 5.0.0.152

HTH

Link to post
Share on other sites

I already have Skype on my suspect list, so it is good to see that you suspect it too.

I am in the process of testing on two computers, both connected to the same router, desktop (W7) by cable, notebook (XP) by wireless.

I initially got the blocks on the desktop when Skype was active (but GUI not visible and not being used).

I Quit Skype on Desktop and since then have not had a block on that computer.

But with Skype active (ditto) on the notebook, I am getting the same blocks

I will run like this all day, then Quit Skype on the Notebook as well for a day and see if any blocks appear. Then I will turn Skype on on the desktop and off on the Notebook for a day.

I have also installed CurrPorts on both computers to see if I can link it's reported activity with MBAM's blocks.

Link to post
Share on other sites

Hi JohnA -

Now you have seen why and how we do quick checks for locations of IP;s -

To get the actual program/person/company there is a bit more homework involved that is mostly done by the person getting the blocks -

I hope you find some more information as you go along , as this is a slow job that only you can do when you get the IP blocks -

Good hunting -

Link to post
Share on other sites

Thanks for all the suggestions and help on this.

Skype is definitely the culprit!

I have been testing three computers, one W7, 2 x XP, all with smilar setup.

MBAM reports the following IP blocks ONLY occur on a computer when Skype is running, and they happen in blocks of three or four about 3-4 times a day.

IP-BLOCK 89.28.24.180 (Moldova, Republic of ) - this is the most frequent address attempted to be accessed.

IP-BLOCK 222.64.164.163 (China, Shanghai).

During this entire test no communications were done using Skype so it was associated with Skype background activity.

The obvious question to ask is why is Skype attempting to access these suspect sites?

And if MBAM wasn't running, what could happen if Skype could access these suspect IP addresses?

Link to post
Share on other sites

Hi -

Did you try downloading Mark Russinovich's "TCPView" -

If something on your system is running amok, or you think you might have a spy in your midst, or you're simply curious (or obsessive) about the inner workings of your network, give this simple program a look. TCPView presents you with a very simple interface that is appropriate to its purpose and relatively easy to use. You get a list of the TCP/UDP connections on your system, and the ability to interact with specific connections or the process that created them.

TCP zip download This is the download from Softpedia site -

Thanks -

Link to post
Share on other sites

  • Root Admin

It could simply be from advertising used. If the IP blocks NEVER happen when Skype is not running then I'd bet that is the cause.

If you're getting IP blocks randomly with NO PROGRAMS running then you may be infected, if so then you should follow the advice below.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.