Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[AArdvark]

Roseway,

I have just been clicking the 'Get IP Address' Button in DSLStats 5.6.1 and got repeated messages from Malwarebytes.
(Ignore the directory name, I had copied over the latest version of DSLStats to a directory previously used. Saved having to change the autostart in Windows. )
Even more interesting is that the messages stopped of their own accord.

Attached are a screencap of the message and the Event log.

Error message from Malwarebytes:


Event Log:


The Event log shows that when Malwarebytes gave the error message the IP address could not be found.
Then suddenly the Address was found and Malwarebytes did not give an Error.

Nothing was changed other than I continued to click the 'Get IP Address' Button.
Very Strange.
No malware is detected after scanning with Malwarebytes, Avast, Spybot-SD and the built in MS software.
I don't believe it is malware but cannot explain it.

[AArdvark]

Just Done it again.
Error message from Malwarebytes, repeat pressing the 'Get IP Button' and it works and Malwarebytes is happy.!

 

[roseway]

It's certainly not malware, although there have been one or two instances of false positives recently. DSLstats gets your IP address by calling a small CGI script on my website, which is common practice for getting the IP address, and perfectly benign. If you're interested you can call this script yourself by entering this into your browser: http://www.s446074245.websitehome.co.uk/cgi-bin/ipaddress.py

This is the script:

Code: [Select]

#!/usr/bin/python

import os

print "Content-type: text/html\r\n\r\n";
print "IP address<br>";
print os.environ["REMOTE_ADDR"];

I'm afraid I have no idea why Malwarebytes is behaving like this, but it looks as though the malware detection process is the cause of the problem, unless you have some sort of intermittent issue with your internet connection.

[tbailey2]

Um. It started happening to me about 30 mins ago..... I don't have the site open in the browser though. Still at it now once a second....

Note different IP address.

Edit:

Just ran up the link and note this is being picked up from the MDWS web server on the LAN which is running DSLstats, not this terminal. Seems you can exclude it from being detected though - and has now stopped after adding Eric's IP address.

[AArdvark]

It looks like some recent change in Malwarebytes.

I did not want to add the address to the exclusion list as it is an internal loopback address which may be misused by something else
Not sure how but I cannot assume anything. 

Very odd, I wonder what malwarebytes have changed & why.

[renluop]

Just in case it might add something, I got same message, when I started comp up this morning.

Here is today's protection log

Code: [Select]

Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 10/09/2015 08:00, SYSTEM, YOURS TRULY-PC, Protection, Malware Protection, Starting,
Protection, 10/09/2015 08:00, SYSTEM, YOURS TRULY-PC, Protection, Malware Protection, Started,
Protection, 10/09/2015 08:00, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Starting,
Protection, 10/09/2015 08:01, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Started,
Detection, 10/09/2015 08:49, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Domain, 82.165.160.62, www.s446074245.websitehome.co.uk, 49299, Outbound, C:\Users\YOURS TRULY\AppData\Local\dslstats\dslstats32W-5.6\dslstats32W-5.6\dslstats.exe,
Detection, 10/09/2015 08:49, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Domain, 82.165.160.62, www.s446074245.websitehome.co.uk, 49299, Outbound, C:\Users\YOURS TRULY\AppData\Local\dslstats\dslstats32W-5.6\dslstats32W-5.6\dslstats.exe,
Update, 10/09/2015 09:23, SYSTEM, YOURS TRULY-PC, Scheduler, AKA IP Database, 2015.9.7.1, 2015.9.10.1,
Update, 10/09/2015 09:23, SYSTEM, YOURS TRULY-PC, Scheduler, Domain Database, 2015.9.9.4, 2015.9.10.4,
Update, 10/09/2015 09:23, SYSTEM, YOURS TRULY-PC, Scheduler, AKA Domain Database, 2015.9.9.2, 2015.9.10.3,
Update, 10/09/2015 09:24, SYSTEM, YOURS TRULY-PC, Scheduler, Malware Database, 2015.9.9.6, 2015.9.10.4,
Protection, 10/09/2015 09:24, SYSTEM, YOURS TRULY-PC, Protection, Refresh, Starting,
Protection, 10/09/2015 09:24, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Stopping,
Protection, 10/09/2015 09:24, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Stopped,
Protection, 10/09/2015 09:25, SYSTEM, YOURS TRULY-PC, Protection, Refresh, Success,
Protection, 10/09/2015 09:25, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Starting,
Protection, 10/09/2015 09:25, SYSTEM, YOURS TRULY-PC, Protection, Malicious Website Protection, Started,


[tbailey2]

I've just had to unblock it on two more terminals...

And would hazard a guess that the block is for the base website - www.websitehome.uk


There is an existing malware alert for one of its sub-domains:

[deleted reference with URL]

It's also of note that since I started composing this message and pasted in the security info, it's started alerting me for that sub-domain!

If that causes problems when anyone reads this I'll delete that info  which I have now done

[roseway]

I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.

[tbailey2]

I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.

Um. To stop the MBAM messages for that site, I had to restart the machine.... Just closing the tab and shutting down the browser had no effect.

All has been well until I opened this thread and it's off again 

I'll delete that paste to see if that stops it.

Edit:

Nope it didn't. But deleting the last 4 hours browsing history has stopped it  - hopefully

[AArdvark]

I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.

Sometimes blocks of addresses get flagged but usually NOT all the addresses that belong to a company.
I am sure 1&1 will not be happy about this either.

Maybe it is worth giving them a call to see what they know.
Looks like a classic 'flagging' error were something has not been checked properly before the 'address/address range' is included in an AV package.

BTW:
As of 04/09/2015 Bitdefender is listing your site as 'Malware Site'
They need a poke with a sharp stick.

 

[AArdvark]

Stupid Question:

Are all the people reporting this on Plusnet ?

Plusnet are reporting problems connecting to the Internet.

Service: Other
Posted: Thu, Sep 10 2015 at 09:27:02
Subject: Website and connectivity issues

Our website and internal systems are currently experiencing issues.

In addition, some customers may have trouble connecting to the internet.

If you find you are affected by this please reboot your router in the first instance.

Our engineers are investigating alongside our suppliers, and once we have more information, we'll provide a further update.

Apologies for the inconvenience caused.

I have found for the last 2 days that if I reboot the modem it can NOT reconnect as in it will not establish a PPP connection after DSL stabilises.
I have had to reboot multiple times to get a proper connection & PPP session.

[roseway]

I don't know whether this has any relevance:

Dear Sir or Madam,

we would like to inform you about a recently discovered security
vulnerability in the content management system Joomla!.  This vulnerability
may enable attackers to upload files to web servers.

All versions up to 2.5.13 as well as 3.1.4 and earlier 3.x versions are
affected. If you are currently using an older version of Joomla! for
managing your homepage, we strongly advise you to upgrade to the safe
versions 2.5.14 or 3.1.5 immediately.
These versions can be found at http://www.joomla.org/download.html

If you have installed Joomla! using 1&1’s Click & Build service, we will
perform the update for you.

Additional information is available at
http://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads

Sincerely,
Customer Care
1&1 Internet, Ltd.

[AArdvark]

I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.

Um. To stop the MBAM messages for that site, I had to restart the machine.... Just closing the tab and shutting down the browser had no effect.

All has been well until I opened this thread and it's off again 

I'll delete that paste to see if that stops it.

Edit:

Nope it didn't. But deleting the last 4 hours browsing history has stopped it  - hopefully

I stopped the message by putting in an exclusion for the web site address (as below):

[tbailey2]

I don't understand this. The address s386667732.websitehome.co.uk isn't mine, and access to it is forbidden. My website is s446074245.websitehome.co.uk and it's working normally. If the base address websitehome.co.uk has been blacklisted, then that covers all 1&1 hosted sites.

Um. To stop the MBAM messages for that site, I had to restart the machine.... Just closing the tab and shutting down the browser had no effect.

All has been well until I opened this thread and it's off again 

I'll delete that paste to see if that stops it.

Edit:

Nope it didn't. But deleting the last 4 hours browsing history has stopped it  - hopefully

I stopped the message by putting in an exclusion for the web site address (as below):

Yes and so did I     But that isn't the address I was having trouble with, it was 87.106.171.17  as per the screen grab....

[Chrysalis]

sadly some security vendors will block an entire tld when a sub domain is marked as rogue, causing problems such as this.