bastitch 0 Posted February 11, 2017 Share Posted February 11, 2017 One of my sites has about 50 installed users. Yesterday a good 25% of those users started getting dozens of repeated popups about blocking access to an IP address that was originating from their System process, connecting to a remote IP that belongs to an anti DDoS CDN service. The Ip address in question is 69.172.201.153 that belongs to DOSarrest.com. When I visit that IP in my browser I get a similar message, saying ESET has blocked a malicious website. Is this in error? I had a lot of frustrated users calling me yesterday, so much that I had to just send out a mass policy update to turn off web access protection temporarily. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted February 11, 2017 Administrators Share Posted February 11, 2017 I don't think that it is a legit wpad proxy configuration file. Also Locky has been detected on that IP address and the reason for blocking it was Sundown exploit. Check the automatic proxy server configuration in the IE setup and make sure the path to the config. file is not set to the above mentioned url. Link to comment Share on other sites More sharing options...
bastitch 0 Posted February 11, 2017 Author Share Posted February 11, 2017 Thanks for the quick reply Marcos. I was so sure of the assumption that it was a false positive that I hadn't even to stopped to think about it being a real threat. I will re-enable the web access protection and check the proxy setup. Thanks! Link to comment Share on other sites More sharing options...
bastitch 0 Posted February 11, 2017 Author Share Posted February 11, 2017 (edited) So I checked the proxy settings, and there is nothing configured there. However, when I re-enable Web access protection, and then access the internet in any way, ESET blocks a bunch of weird connections, all to that same IP, but with different urls. Such as hxxp://wpad.******.net/wpad.dat (where ****** is the local Windows domain name of the company). Also a bunch of random URLs with random characters and no TLD such as hxxp://ekickejd, and some are even showing hxxp://****1 (the name of the company's file server). I've run full scans with ESET and malwarebytes, come back clean. I know this is probably beyond the scope of the help you provide in these forums, but any info you could provide I would appreciate. Thanks! Edited February 12, 2017 by bastitch Remove potentially sensitive info Link to comment Share on other sites More sharing options...
bastitch 0 Posted February 11, 2017 Author Share Posted February 11, 2017 So turns out their local domain, s****r.net, is also a real http domain, s****r.net, and the IP address of that domain is the blocked dosarrest IP from above. I still cannot find any malware or any malicious settings in any of the affected machines. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted February 12, 2017 Administrators Share Posted February 12, 2017 To start off, please drop me a pm with the output from ESET Log Collector attached. For instructions, see the link my signature. Link to comment Share on other sites More sharing options...
bastitch 0 Posted February 12, 2017 Author Share Posted February 12, 2017 I sent the log files via PM. Thanks! Link to comment Share on other sites More sharing options...
edd200sx 0 Posted February 13, 2017 Share Posted February 13, 2017 (edited) getting the same ip blocked on my pc 13/02/2017 19:04:02 hxxp://api.cdn.didlr.com/liveTileWin8.xml Blocked by internal IP blacklist C:\Windows\explorer.exe Edd\edd 69.172.201.153 CAEF6938FF6ACA790E36770142374243AB726A76 Edited February 13, 2017 by Marcos Log shortened Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted February 13, 2017 Administrators Share Posted February 13, 2017 22 minutes ago, edd200sx said: getting the same ip blocked on my pc You shouldn't be getting this alert unless you are using an outdated engine version. The latest one is 14931. Link to comment Share on other sites More sharing options...
Rafael Paiva 0 Posted February 13, 2017 Share Posted February 13, 2017 Hi, I have the exact same problems in all laptops at home. Please let me know as soon as you can find out any solutions. Thanks in advance. Rafael Paiva. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted February 13, 2017 Administrators Share Posted February 13, 2017 19 minutes ago, Rafael Paiva said: Hi, I have the exact same problems in all laptops at home. Please let me know as soon as you can find out any solutions. Couldn't it be that it was happening a couple of hours ago but not now any more? Link to comment Share on other sites More sharing options...
dschwa 0 Posted February 14, 2017 Share Posted February 14, 2017 (edited) I am not buying this idea that, because ESET fixed the so-called issue by updating signatures there is no problem. I have several systems continuing to try to make connections to this IP. I have had to block all traffic to this site until someone can better explain what is happening and would suggest anyone who has seen this to do the same. Marcos - would you please shed some light on this and what ESETs reasoning for allowing communication to continue to this IP and randomized URLs? "ESET blocks a bunch of weird connections, all to that same IP, but with different urls. Such as hxxp://wpad.******.net/wpad.dat (where ****** is the local Windows domain name of the company). Also a bunch of random URLs with random characters and no TLD such as hxxp://ekickejd, and some are even showing hxxp://****1 (the name of the company's file server)'' ?? Additionally, why has it only been reported by few and not all of your customers? I first noticed this issue on the 10th and only when I connected and disconnected to my corporate VPN. I would assume all your customers would have reported this had it been a windows issue? I Edited February 14, 2017 by dschwa Link to comment Share on other sites More sharing options...
bastitch 0 Posted February 14, 2017 Author Share Posted February 14, 2017 Dschwa, that is strange that you are seeing Windows trying to connect to the same IP. What I had figured out was that the company's local domain, let's just say it is companyabc.net, was also the same as a web domain companyabc.net, that the company did not own. On the web companyabc.net was pointing to that IP address that was blocked by ESET. The problem happened once users took their PCs outside of the local network, and got online. The system was looking for their local domain companyabc.net, and in doing do calling out companyabc.net on the web. I'm not sure why it is doing that, I have not been able to pinpoint the cause. What worries me is those randomly generated urls that are calling out from Windows. Did you have those as well? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted February 14, 2017 Administrators Share Posted February 14, 2017 The IP address belongs to DOSarrest Internet Security which is a legitimate security anti-DDoS service provider and thus blocking the IP address would not be appropriate. Link to comment Share on other sites More sharing options...
bastitch 0 Posted February 14, 2017 Author Share Posted February 14, 2017 (edited) 5 minutes ago, Marcos said: The IP address belongs to DOSarrest Internet Security which is a legitimate security anti-DDoS service provider and thus blocking the IP address would not be appropriate. Is it possible that legitimate Windows services are using DOSarrest to host their web apps that are being called to? I still haven't found a good reason for the randomly generated URLs that were coming from the System process and talking to that DOSarrest IP Edited February 14, 2017 by bastitch Link to comment Share on other sites More sharing options...
Administrators Marcos 5,070 Posted February 15, 2017 Administrators Share Posted February 15, 2017 I've written to DOSarrest IS for their opinion on this. Link to comment Share on other sites More sharing options...
bastitch 0 Posted February 19, 2017 Author Share Posted February 19, 2017 On 2/15/2017 at 5:48 AM, Marcos said: I've written to DOSarrest IS for their opinion on this. Have you heard anything back about this? Link to comment Share on other sites More sharing options...
Recommended Posts