Kitz Forum
Broadband Related => Router Monitoring Software => Topic started by: AArdvark on September 10, 2015, 03:48:51 AM
-
Roseway,
I have just been clicking the 'Get IP Address' Button in DSLStats 5.6.1 and got repeated messages from Malwarebytes.
(Ignore the directory name, I had copied over the latest version of DSLStats to a directory previously used. Saved having to change the autostart in Windows. )
Even more interesting is that the messages stopped of their own accord.
Attached are a screencap of the message and the Event log.
Error message from Malwarebytes:
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi1072.photobucket.com%2Falbums%2Fw364%2FGrapheneMan%2Fdslstats-MWB_zpszkxuaxvk.png&hash=657dfaf11e5b334685ec1805cb48c34e1c2fc31e)
Event Log:
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi1072.photobucket.com%2Falbums%2Fw364%2FGrapheneMan%2Fdslstats-MWB-2_zpscnmd556g.png&hash=91caf577f4074f6b3e423b33c4e429de692cd282)
The Event log shows that when Malwarebytes gave the error message the IP address could not be found.
Then suddenly the Address was found and Malwarebytes did not give an Error.
Nothing was changed other than I continued to click the 'Get IP Address' Button.
Very Strange.
No malware is detected after scanning with Malwarebytes, Avast, Spybot-SD and the built in MS software.
I don't believe it is malware but cannot explain it.
-
Just Done it again.
Error message from Malwarebytes, repeat pressing the 'Get IP Button' and it works and Malwarebytes is happy.!
??? ???
-
It's certainly not malware, although there have been one or two instances of false positives recently. DSLstats gets your IP address by calling a small CGI script on my website, which is common practice for getting the IP address, and perfectly benign. If you're interested you can call this script yourself by entering this into your browser: http://www.s446074245.websitehome.co.uk/cgi-bin/ipaddress.py
This is the script:
#!/usr/bin/python
import os
print "Content-type: text/html\r\n\r\n";
print "IP address<br>";
print os.environ["REMOTE_ADDR"];
I'm afraid I have no idea why Malwarebytes is behaving like this, but it looks as though the malware detection process is the cause of the problem, unless you have some sort of intermittent issue with your internet connection.
-
Um. It started happening to me about 30 mins ago..... I don't have the site open in the browser though. Still at it now once a second....
Note different IP address.
Edit:
Just ran up the link and note this is being picked up from the MDWS web server on the LAN which is running DSLstats, not this terminal. Seems you can exclude it from being detected though - and has now stopped after adding Eric's IP address.
-
It looks like some recent change in Malwarebytes.
I did not want to add the address to the exclusion list as it is an internal loopback address which may be misused by something else ???
Not sure how but I cannot assume anything. ;D
Very odd, I wonder what malwarebytes have changed & why.
-
Just in case it might add something, I got same message, when I started comp up this morning.
Here is today's protection log
Malwarebytes Anti-Malware
www.malwarebytes.org
Protection, 10/09/2015 08:00, SYSTEM, YOURS TRULY-PC, Protection, Malware Protection, Starting,
Protection, 10/09/2015 08:00, SYSTEM, YOURS TRULY-PC, Protection, Malware Protection, Started,
Protection, 10/09/2015 08:00, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Starting,
Protection, 10/09/2015 08:01, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Started,
Detection, 10/09/2015 08:49, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Domain, 82.165.160.62, www.s446074245.websitehome.co.uk, 49299, Outbound, C:\Users\YOURS TRULY\AppData\Local\dslstats\dslstats32W-5.6\dslstats32W-5.6\dslstats.exe,
Detection, 10/09/2015 08:49, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Domain, 82.165.160.62, www.s446074245.websitehome.co.uk, 49299, Outbound, C:\Users\YOURS TRULY\AppData\Local\dslstats\dslstats32W-5.6\dslstats32W-5.6\dslstats.exe,
Update, 10/09/2015 09:23, SYSTEM, YOURS TRULY-PC, Scheduler, AKA IP Database, 2015.9.7.1, 2015.9.10.1,
Update, 10/09/2015 09:23, SYSTEM, YOURS TRULY-PC, Scheduler, Domain Database, 2015.9.9.4, 2015.9.10.4,
Update, 10/09/2015 09:23, SYSTEM, YOURS TRULY-PC, Scheduler, AKA Domain Database, 2015.9.9.2, 2015.9.10.3,
Update, 10/09/2015 09:24, SYSTEM, YOURS TRULY-PC, Scheduler, Malware Database, 2015.9.9.6, 2015.9.10.4,
Protection, 10/09/2015 09:24, SYSTEM, YOURS TRULY-PC, Protection, Refresh, Starting,
Protection, 10/09/2015 09:24, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Stopping,
Protection, 10/09/2015 09:24, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Stopped,
Protection, 10/09/2015 09:25, SYSTEM, YOURS TRULY-PC, Protection, Refresh, Success,
Protection, 10/09/2015 09:25, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Starting,
Protection, 10/09/2015 09:25, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Started,
-
I've just had to unblock it on two more terminals...
And would hazard a guess that the block is for the base website - www.websitehome.uk (http://www.websitehome.uk)
There is an existing malware alert (http://labs.sucuri.net/?details=s386667732.websitehome.co.uk) for one of its sub-domains:
[deleted reference with URL]
It's also of note that since I started composing this message and pasted in the security info, it's started alerting me for that sub-domain!
If that causes problems when anyone reads this I'll delete that info :'( which I have now done
-
I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.
-
I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.
Um. To stop the MBAM messages for that site, I had to restart the machine.... Just closing the tab and shutting down the browser had no effect.
All has been well until I opened this thread and it's off again >:D
I'll delete that paste to see if that stops it.
Edit:
Nope it didn't. But deleting the last 4 hours browsing history has stopped it - hopefully
-
I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.
Sometimes blocks of addresses get flagged but usually NOT all the addresses that belong to a company.
I am sure 1&1 will not be happy about this either.
Maybe it is worth giving them a call to see what they know.
Looks like a classic 'flagging' error were something has not been checked properly before the 'address/address range' is included in an AV package.
BTW:
As of 04/09/2015 Bitdefender is listing your site as 'Malware Site'
They need a poke with a sharp stick.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi1072.photobucket.com%2Falbums%2Fw364%2FGrapheneMan%2Fbitdefender_zpsgduisnwc.png&hash=418369d55ac25803b2e0dfa3dcfcad9fdb2bea8d)
-
Stupid Question:
Are all the people reporting this on Plusnet ?
Plusnet are reporting problems connecting to the Internet.
Service: Other
Posted: Thu, Sep 10 2015 at 09:27:02
Subject: Website and connectivity issues
Our website and internal systems are currently experiencing issues.
In addition, some customers may have trouble connecting to the internet.
If you find you are affected by this please reboot your router in the first instance.
Our engineers are investigating alongside our suppliers, and once we have more information, we'll provide a further update.
Apologies for the inconvenience caused.
I have found for the last 2 days that if I reboot the modem it can NOT reconnect as in it will not establish a PPP connection after DSL stabilises.
I have had to reboot multiple times to get a proper connection & PPP session. ???
-
I don't know whether this has any relevance:
Dear Sir or Madam,
we would like to inform you about a recently discovered security
vulnerability in the content management system Joomla!. This vulnerability
may enable attackers to upload files to web servers.
All versions up to 2.5.13 as well as 3.1.4 and earlier 3.x versions are
affected. If you are currently using an older version of Joomla! for
managing your homepage, we strongly advise you to upgrade to the safe
versions 2.5.14 or 3.1.5 immediately.
These versions can be found at http://www.joomla.org/download.html
If you have installed Joomla! using 1&1’s Click & Build service, we will
perform the update for you.
Additional information is available at
http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads
Sincerely,
Customer Care
1&1 Internet, Ltd.
-
I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.
Um. To stop the MBAM messages for that site, I had to restart the machine.... Just closing the tab and shutting down the browser had no effect.
All has been well until I opened this thread and it's off again >:D
I'll delete that paste to see if that stops it.
Edit:
Nope it didn't. But deleting the last 4 hours browsing history has stopped it - hopefully
I stopped the message by putting in an exclusion for the web site address (as below):
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi1072.photobucket.com%2Falbums%2Fw364%2FGrapheneMan%2Fweb_exclusion_zpsdllnvfdy.png&hash=12b9c0057e88afad4adaee899a1d3ff42cb6ed64)
-
I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.
Um. To stop the MBAM messages for that site, I had to restart the machine.... Just closing the tab and shutting down the browser had no effect.
All has been well until I opened this thread and it's off again >:D
I'll delete that paste to see if that stops it.
Edit:
Nope it didn't. But deleting the last 4 hours browsing history has stopped it - hopefully
I stopped the message by putting in an exclusion for the web site address (as below):
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi1072.photobucket.com%2Falbums%2Fw364%2FGrapheneMan%2Fweb_exclusion_zpsdllnvfdy.png&hash=12b9c0057e88afad4adaee899a1d3ff42cb6ed64)
Yes and so did I :) But that isn't the address I was having trouble with, it was 87.106.171.17 as per the screen grab....
-
sadly some security vendors will block an entire tld when a sub domain is marked as rogue, causing problems such as this.
-
Yes and so did I :) But that isn't the address I was having trouble with, it was 87.106.171.17 as per the screen grab....
Sorry missed your Screen grab.
Don't know how you appear to accessing a different 1&1 domain ?
-
Don't know how you appear to [be] accessing a different 1&1 domain ?
I'm not ;) It's the IP address of the banned malware site in the link..
I didn't access it (obviously), I just pasted it as part of copying the security post contents and that came up from MBAM a few secs later....
You are welcome to try it yourself and see what happens...
Edit:
I just tried a whois on that address - bad move >:D
Off MBAM goes again, had to clear recent history to stop.
-
You are welcome to try it yourself and see what happens...
Thank you for the kind suggestion but I will pass this time ;D ;D
-
Never heard of them before.
Quick look at their website etc
They are stating the postal address is in Hampshire yet the Call centre is in Nelson Lancs.
They started in 2014 so not too long ago.
They appear to be hoovering up 'Rural' customers.
Not sure who is providing the 'real' connectivity which they connect to.
If you say Talk Talk & Virgin have off-loaded customers what is common between those two ?
Only thought is that if they are new there is the risk that if they do not hit target numbers of customers they could be moving the customers on if they fail or be swallowed by someone else as a cheap target to pick up customers.
You need to see some benefit of joining a small company with the obvious attendant risks.
Pricing does not look special one way or another.
Their website does not give out much info beyond we do broadband and Phones and Mobile.
Has the look of someone buying a mix of services from across the market and selling the 'bundle' as a new Telecoms company.
Maybe I am wrong on that, it is just a feel from the generic website & docs.
Oh dear ..... MBAM is at it again..... This is getting annoying :-X
-
Tony, I've moved the above message here.
-
Thanks Eric. It did occur to me afterwards it was out of context to anyone reading the thread :-[
It seems hopto.org is well documented for hosting malware so presumably the TLD has got on a list.....
-
Just had a Malwarebytes update.
I have removed 82.165.160.62 from the exclusion and all works OK.
i.e. As before.
FYI
-
That's a relief. :)