Jump to content

Blocked IPs - Who's phoning home?

shamrin
 Share

Recommended Posts

shamrin

shamrin

Posted
Posted

I have a number of blocked IPs every day, the most consistent ones are 89.28.125.138 and 193.169.40.7. I am trying to figure out what application or process is attempting to contact these IPs. I have set my firewall on high restrictions and to log (but allow) any attempt to hit these IPs. However, no item ever appears in the log and these IPs are apparently still being accessed (because they continue to pop up in Malwarebytes).

I've scanned the computer with MWB and a number of other AVs and everything looks clean. Can anyone suggest how these things are getting totally around my firewall and how to track down what is creating them? TIA.

Link to post
Share on other sites
John A

John A

Posted
Posted

I proved to my satisfaction that Skype was causing this in my case, see the following threa:d

http://forums.malwarebytes.org/index.php?s...c=66105&hl=

I tried to specifically trap Skype accessing two IP suspect addresses using cports.exe and temporarily turning off MBAM website blocking but it happened too infrequently for this to work. I tried TCPView but the IP blocks caused by Skype are too quick for it to pick up

In your case, Quit Skype or stop it starting at startup temporarily and see if these IP blocks stop.

Link to post
Share on other sites
shamrin

shamrin

Posted
  • Author
Posted
I proved to my satisfaction that Skype was causing this in my case, see the following threa:d

http://forums.malwarebytes.org/index.php?s...c=66105&hl=

I tried to specifically trap Skype accessing two IP suspect addresses using cports.exe and temporarily turning off MBAM website blocking but it happened too infrequently for this to work. I tried TCPView but the IP blocks caused by Skype are too quick for it to pick up

In your case, Quit Skype or stop it starting at startup temporarily and see if these IP blocks stop.

Yes, I see you were where I am now. I was thinking it might be Skype but it seemed odd to me that I would be getting such consistent pings from Moldova - why would that be happening? My guess is that I am acting as a Skype supernode so I'm handling basically any traffic that happens to come along. Before trying to shut off Skype entirely, I'm going to see if turning off supernode stops the problem. Will report results.

Thanks for your comments.

Link to post
Share on other sites
shamrin

shamrin

Posted
  • Author
Posted
When Skype is running, my lated ip blocks are:

222.68.159.215 Beijing China, China Telecom

121.13.9.119 Beijing China, China Telecom

62.45.227.30 Netherlands

Well, ostensibly disallowing port 80 and 443 in Advanced Settings will keep you from being a Supernode. I turned them off but I'm still turning up with MWB blocking on a site in the Netherlands and one I haven't seen before in Canada (but I have contacts that could conceivably be in Canada so this is more sensible that accepting connections from Ukraine and Moldova). Tomorrow night I'll turn Skype off entirely to see if that stops it and proves that the issue is Skype.

Link to post
Share on other sites
shamrin

shamrin

Posted
  • Author
Posted
The next question is - should we take this issue up with Skype?

When I saw the feature list on MWB 5 I figured that was made to order to solve our mystery here. I turned off Skype last night and of course no malicious connections so I was headed there as well. Alas, Skype are the very definition of unresponsive support so I would guess the BEST we could hope for from them would be obfuscation. It does make me wonder what is going on with Skype under the covers - why so many connections to malicious IPs?

Link to post
Share on other sites
John A

John A

Posted
Posted
Skype are the very definition of unresponsive support so I would guess the BEST we could hope for from them would be obfuscation.

I have had two "as-promised within 12 hours" responses from Skype support on other matters recently - I thought their service was good. I might try this one on them and see what happens.

Link to post
Share on other sites
John A

John A

Posted
Posted

Well again there was a rapid response from Skype Support about the suspect IP addresses caught by MBAM. Below is what they said. Interesting how it works. It seems that blocking these IPs is highly unlikely to cause any performance issues with Skype.

"We understand the inconvenience that might cause and we appreciate your patience and understanding.Skype is a peer-to-peer (P2P) application. Peer-to-peer makes it possible for multiple computers running the same P2P software to communicate and participate in traffic routing, processing and other bandwidth intensive tasks that are usually performed by a central server. P2P allows sharing files containing audio, video, data and real-time data.

Skype has no single

Link to post
Share on other sites
Paulinjc

Paulinjc

Posted
Posted
Using MBAM ,5 Beta, which identifies the process involved, it caught Skype red handed

08:59:59 John Marg IP-BLOCK 222.68.159.215 (Type: outgoing, Port: 42255, Process: skype.exe)

The next question is - should we take this issue up with Skype?

--------------------------

Hi Folks..... MBAM 5 Beta??? How soon can I get a version of MBAM that identifies the process?? Currently I only see IP number that is blocked but I would do backflips to know what program or process on my pc is causing these IP blocks to occur.

ANY ADVISE here, please????? (Skype not used here)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.