topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 1:44 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Malware blocked at DC !?!  (Read 12684 times)

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Malware blocked at DC !?!
« on: October 24, 2014, 11:52 AM »
WTF... one a couple days ago... one today.  Different IPs but the same ISP and server location.

First time I've seen this here.  Could be a false positive but how can I tell?   :tellme:

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #1 on: October 24, 2014, 11:55 AM »
Screenshots of the offending malware warning?

I'm willing to bet if you're using malwarebytes that it's a false positive.

Malwarebytes tends to be way too aggressive when blocking small hosting providers, and is known to kill entire IP ranges just because a couple of IPs in that range have gotten a bad reputation.

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #2 on: October 24, 2014, 12:21 PM »
Screenshots of the offending malware warning?

Screenshots are only good for the IP address.  The ISP and server i got online.

MBAB has been good to me and i believe it's malware.  I just don't understand why i get the warning at DC.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #3 on: October 24, 2014, 12:28 PM »
I'm not clear what you are saying you saw and what it is telling you that you encountered.
Can you be a bit more specific?

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #4 on: October 24, 2014, 12:53 PM »
I'm not clear what you are saying you saw and what it is telling you that you encountered.
Can you be a bit more specific?

I got both of these today but the top one has the same IP as the first one i got on Wednesday

2014-10-24 10 06 50=mouser both.png


mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #5 on: October 24, 2014, 12:58 PM »
Those are *not* donationcoder IP addresses.

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #6 on: October 24, 2014, 12:59 PM »
Those are *not* donationcoder IP addresses.

So what does this mean?

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #7 on: October 24, 2014, 01:07 PM »
It means there is no attack or malware hosted on or coming from DonationCoder.
It could mean that you just happened to see these alerts while you happened to be browsing the DonatinCoder forum.

--

Another thing to check is if this alert pops up when you view certain posts on the forum -- it's always possible that someone has a photo in their signature or in a post that is linking to another site and that that site is pinging your machine when you load it.

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #8 on: October 24, 2014, 01:26 PM »
It means there is no attack or malware hosted on or coming from DonationCoder.
It could mean that you just happened to see these alerts while you happened to be browsing the DonatinCoder forum.

--

Another thing to check is if this alert pops up when you view certain posts on the forum -- it's always possible that someone has a photo in their signature or in a post that is linking to another site and that that site is pinging your machine when you load it.

'I'm not clear what you are saying...' you're not hosting if it's a photo or link here?

I will keep track of where i see it and what tabs are open.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #9 on: October 24, 2014, 03:07 PM »
'I'm not clear what you are saying...' you're not hosting if it's a photo or link here?

It's up to the individual user where items are hosted. The IPs from you screen shots are from Amsterdam...DC is hosted in (I believe) Seattle, WA.

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,741
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #10 on: October 24, 2014, 06:26 PM »
It means there is no attack or malware hosted on or coming from DonationCoder.
It could mean that you just happened to see these alerts while you happened to be browsing the DonatinCoder forum.

--

Another thing to check is if this alert pops up when you view certain posts on the forum -- it's always possible that someone has a photo in their signature or in a post that is linking to another site and that that site is pinging your machine when you load it.

'I'm not clear what you are saying...' you're not hosting if it's a photo or link here?

I will keep track of where i see it and what tabs are open.

Some user avatars are hosted on external servers for which DC has no control over (Like mine...it is hosted on Imgur.com and NOT DC).  Linking & Hotlinking are NOT the same as Hosting.

After checking the IP addresses above, I came up with the following:

80.82.78.166 - Takes to a website which just has the text "Oh hi there" - The IP is hosted by the ISP: Ecatel LTD

89.248.168.46 - Resolves to offshore20.tronichost.com - Also hosted by the ISP: Ecatel LTD - However, when checking the website for content, the resolution link takes to a "This website may be for sale" and the IP takes you to an Apache2 Test Page.

Neither of these IPs are connected or affiliated with DonationCoder.com AT ALL.

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,741
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #11 on: October 24, 2014, 06:32 PM »
Further to the above, consider these 2 images:


1Rupeem.png


They are both exactly the same image, but have 1 vital difference between the 2.

The top one is Hotlinked from Imgur.com where the second one has been uploaded to, and now hosted directly by DonationCoder.com

I did this by doing the following:

[img]http://i.imgur.com/1Rupeem.png[/img]
[ attach=1 ]


Things within the [img][/img] tags are Hotlinked - Meaning that the forum simply pulls the image from the website where it is hosted, and shown here.

Things that are linked with the [attach=#] tag are hosted by DonationCoder.com itself - This is shown by having to use the "Attach" file option when making a post, which uploads the file directly to the DonationCoder.com server in order to show the file here.


crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #12 on: October 25, 2014, 08:42 AM »
'I'm not clear what you are saying...' you're not hosting if it's a photo or link here?

It's up to the individual user where items are hosted. The IPs from you screen shots are from Amsterdam...DC is hosted in (I believe) Seattle, WA.

I'm still learning computer terms and what they stand for.  :-\  The terms are often different from one *geek* site to the next.
Like bad driving directions,  ...follow this road and take your first left...,  but the road ends in a cul-de-sac.  It's confusing.

Amsterdam is more precise... thank you.  My link just said Netherlands.

-------

FWIW  If i was surfing, found DC, opened a topic and malware was blocked... I wouldn't return or recommend.  Which would be bad.
I've learned a lot here and also picked up some really cool freebies.   8)

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #13 on: October 25, 2014, 09:10 AM »
Note- the screenshots show that the attacks were directed at port 1900, which is in fact the port used by UPnP.

It is completely possible that this is in fact unrelated to having been browsing DC, and is just a coincidence that the messages popped up with DC open.

That's why I had asked for screenshots of the message first thing. It just makes it so much easier to figure out where it came from when you have the exact message in hand.

What I would suggest is checking your router settings and making sure upnp is disabled. A lot of routers have it enabled by default because it was supposed to offer a convenient new feature to let your firewall adjust itself on the fly, but in practice it proved positively dangerous to use. Malwarebytes would know this, and block inbound upnp requests- but it begs the question of how did those requests get to your computer in the first place.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #14 on: October 25, 2014, 09:45 AM »
FWIW  If i was surfing, found DC, opened a topic and malware was blocked... I wouldn't return or recommend.  Which would be bad.

Agreed -- if you find any sign that there was a remotely linked image in a post or signature on the forum that was in any way connected with a remote non-dc server trying to connect with your computer, we would take swift action to fix that.
But what Seraphim points out is that it may have just been a coincidence that you got the alert while browsing the forum.

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #15 on: October 25, 2014, 09:49 AM »
It means there is no attack or malware hosted on or coming from DonationCoder.
It could mean that you just happened to see these alerts while you happened to be browsing the DonatinCoder forum.

--

Another thing to check is if this alert pops up when you view certain posts on the forum -- it's always possible that someone has a photo in their signature or in a post that is linking to another site and that that site is pinging your machine when you load it.

'I'm not clear what you are saying...' you're not hosting if it's a photo or link here?

I will keep track of where i see it and what tabs are open.

Some user avatars are hosted on external servers for which DC has no control over (Like mine...it is hosted on Imgur.com and NOT DC).  Linking & Hotlinking are NOT the same as Hosting.

After checking the IP addresses above, I came up with the following:

80.82.78.166 - Takes to a website which just has the text "Oh hi there" - The IP is hosted by the ISP: Ecatel LTD

89.248.168.46 - Resolves to offshore20.tronichost.com - Also hosted by the ISP: Ecatel LTD - However, when checking the website for content, the resolution link takes to a "This website may be for sale" and the IP takes you to an Apache2 Test Page.

Neither of these IPs are connected or affiliated with DonationCoder.com AT ALL.

Thank you for your very clear explaination.  It was my understanding that hosting meant providing links.

Some user avatars are hosted on external servers for which DC has no control over (Like mine...it is hosted on Imgur.com and NOT DC).

So if the Imgur servers go down... your Batsman disappears?  Bummer.  But i understand what you're saying.

Neither of these IPs are connected or affiliated with DonationCoder.com AT ALL.

I didn't think these IP's were affiliated with DC.  More like a member trying to disrupt things and make it unfriendly here.

----------

This past Wednesday was the first time MBAM blocked anything here.  What changed? What's different? The only thing i could think of was DC membership.

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #16 on: October 25, 2014, 10:43 AM »
Note- the screenshots show that the attacks were directed at port 1900, which is in fact the port used by UPnP.

It is completely possible that this is in fact unrelated to having been browsing DC, and is just a coincidence that the messages popped up with DC open.

That's why I had asked for screenshots of the message first thing. It just makes it so much easier to figure out where it came from when you have the exact message in hand.

What I would suggest is checking your router settings and making sure upnp is disabled. A lot of routers have it enabled by default because it was supposed to offer a convenient new feature to let your firewall adjust itself on the fly, but in practice it proved positively dangerous to use. Malwarebytes would know this, and block inbound upnp requests- but it begs the question of how did those requests get to your computer in the first place.

Hopefully it was a coincidence.

I don't use a router.  Maybe an IE-9 Internet option?

...- but it begs the question of how did those requests get to your computer in the first place.

I know I'm infected with something.  There are Internet Options that cannot be changed.  I have file folders that are not visable.

I had the FBI scam infection a while back.  MBAB's Chameleon killed the process and gave me internet access again but i haven't addressed any damage.

I ran unhide yesterday but found no changes.

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,741
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #17 on: October 25, 2014, 03:24 PM »
It means there is no attack or malware hosted on or coming from DonationCoder.
It could mean that you just happened to see these alerts while you happened to be browsing the DonatinCoder forum.

--

Another thing to check is if this alert pops up when you view certain posts on the forum -- it's always possible that someone has a photo in their signature or in a post that is linking to another site and that that site is pinging your machine when you load it.

'I'm not clear what you are saying...' you're not hosting if it's a photo or link here?

I will keep track of where i see it and what tabs are open.

Some user avatars are hosted on external servers for which DC has no control over (Like mine...it is hosted on Imgur.com and NOT DC).  Linking & Hotlinking are NOT the same as Hosting.

After checking the IP addresses above, I came up with the following:

80.82.78.166 - Takes to a website which just has the text "Oh hi there" - The IP is hosted by the ISP: Ecatel LTD

89.248.168.46 - Resolves to offshore20.tronichost.com - Also hosted by the ISP: Ecatel LTD - However, when checking the website for content, the resolution link takes to a "This website may be for sale" and the IP takes you to an Apache2 Test Page.

Neither of these IPs are connected or affiliated with DonationCoder.com AT ALL.

Thank you for your very clear explaination.  It was my understanding that hosting meant providing links.

Some user avatars are hosted on external servers for which DC has no control over (Like mine...it is hosted on Imgur.com and NOT DC).

So if the Imgur servers go down... your Batsman disappears?  Bummer.  But i understand what you're saying.

Neither of these IPs are connected or affiliated with DonationCoder.com AT ALL.

I didn't think these IP's were affiliated with DC.  More like a member trying to disrupt things and make it unfriendly here.

----------

This past Wednesday was the first time MBAM blocked anything here.  What changed? What's different? The only thing i could think of was DC membership.

No problemo :)

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #18 on: October 25, 2014, 05:53 PM »
I did this by doing the following:


[ attach=1 ]

I was looking for something like this.  Just pasting the image would be cool.  But this is close.  :)

KynloStephen66515

  • Animated Giffer in Chief
  • Honorary Member
  • Joined in 2010
  • **
  • Posts: 3,741
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #19 on: October 25, 2014, 05:56 PM »
I did this by doing the following:


[ attach=1 ]

I was looking for something like this.  Just pasting the image would be cool.  But this is close.  :)

Huh?  :huh:

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #20 on: October 25, 2014, 06:26 PM »

Hopefully it was a coincidence.

I don't use a router.  Maybe an IE-9 Internet option?

...- but it begs the question of how did those requests get to your computer in the first place.

I know I'm infected with something.  There are Internet Options that cannot be changed.  I have file folders that are not visable.

I had the FBI scam infection a while back.  MBAB's Chameleon killed the process and gave me internet access again but i haven't addressed any damage.

I ran unhide yesterday but found no changes.

I have to ask.

Why would you not use a router if at all possible? They usually include a decent firewall capability to protect your machine from exploits floating around the public network, including inbound UPNP exploits that would trigger malwarebytes like so.

Its just one extra level of protection, allowing you to keep your stuff on a clean network while still being able to access the rest of the world from behind the safety of that firewall only allowing stuff in that you've asked for.

Running without a router, anyone could port scan your system directly or try to exploit it along with everyone else on your ISP by using attacks that work over range broadcasts.


Also no. Internet Explorer has no ability whatsoever to filter your internet connection, other than by relying on sites that Microsoft has programmed it to blacklist.

You need at minimum a decent third party firewall software or a good router to protect your system. The default Windows Firewall is usually wide open by default with several key ports open that cannot be closed including the often abused port 139.
« Last Edit: October 25, 2014, 06:32 PM by SeraphimLabs »

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #21 on: October 25, 2014, 07:10 PM »
You need at minimum a decent third party firewall software

Keep in mind that most firewall apps pop up alerts like crazy, accusing the entire internet of trying to attack you, and letting you know that they protected you from all those "attacks".  They want to make you paranoid enough to pay and keep using their product. And even the reputable firewall apps do this. :mad:

You will want to find that setting that turns just those tin foil alerts off, first thing. Otherwise, the coincidence of the popups coinciding with your PC activities may make you wrongly believe some very innocent people are up to no good.

crabby3

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 1,018
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #22 on: October 26, 2014, 06:44 AM »

Hopefully it was a coincidence.

I don't use a router.  Maybe an IE-9 Internet option?

...- but it begs the question of how did those requests get to your computer in the first place.

I know I'm infected with something.  There are Internet Options that cannot be changed.  I have file folders that are not visable.

I had the FBI scam infection a while back.  MBAB's Chameleon killed the process and gave me internet access again but i haven't addressed any damage.

I ran unhide yesterday but found no changes.

I have to ask.

Why would you not use a router if at all possible? They usually include a decent firewall capability to protect your machine from exploits floating around the public network, including inbound UPNP exploits that would trigger malwarebytes like so.

Its just one extra level of protection, allowing you to keep your stuff on a clean network while still being able to access the rest of the world from behind the safety of that firewall only allowing stuff in that you've asked for.

(Edit)


Also no. Internet Explorer has no ability whatsoever to filter your internet connection, other than by relying on sites that Microsoft has programmed it to blacklist.

You need at minimum a decent third party firewall software or a good router to protect your system. The default Windows Firewall is usually wide open by default with several key ports open that cannot be closed including the often abused port 139.

One word:  Procrastination.  I have a router but it's still in the box and so on...   :-\

I do have Kaspersky Pure 3.0 and it's firewall.

I found these yesterday and unchecked 'em

2014-windows firewall.png


I ran Rkill yesterday as well and it terminated 4 processes

2014-Rkill.png


The MBAM alerts were every other day, Wednesday then Friday then..., see what happens today.   :)

-----------------

BTW  Thanks for your thorough description, your 3rd paragraph of how to exploit other peoples computers, for any hackers out there.   :down:

You had already made your point.  ...overkill.
« Last Edit: October 26, 2014, 06:51 AM by crabby3, Reason: too much info »

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Re: Malware blocked at DC !?!
« Reply #23 on: October 26, 2014, 07:02 AM »
I did this by doing the following:


[ attach=1 ]

I was looking for something like this.  Just pasting the image would be cool.  But this is close.  :)

Huh?  :huh:

Some sites allow you to paste images directly into the form editor thing.  I asked Mouser if he could add that.  But this is close enough.  Albeit tangential.  :)

Edit:  At first I did a simple quote of the post I followed but that pasted in the graphic again.  That's why I only put the "attach=1" line for reference.

« Last Edit: October 26, 2014, 04:40 PM by MilesAhead »