Jump to content

Address has been blocked notification


RandyEVO

Recommended Posts

Think this is the right area to post this... been getting this popup for a blocked address, https://secure-drm.imrworldwide.com IP 3.17.238.130 and cant get it to go away, made sure it wasnt notifications or extensions on google chrome and there doesn't seem to be anything else. anyone else have something similar? Image attached. Thanks!

notifcation.png

Link to comment
Share on other sites

  • Administrators

When does the alert pops up? When you launch a browser or a specific application, when browsing websites, etc? If it's browser related, does it pop up when running any other browsers?

By the way, it appears that you have ESET Endpoint v5 installed. I'd strongly recommend upgrading to EPv7.

Link to comment
Share on other sites

As far as that IP address goes, it resolves to Amazon: https://www.robtex.com/dns-lookup/ec2-3-17-238-130.us-east-2.compute.amazonaws.com .

-EDIT- As far as domain https://secure-drm.imrworldwide.com goes, it is associated with:

Quote

The IP number is 138.108.140.100. The IP number is in Schaumburg, United States. It is hosted by Route for Nielsen.

Secure-drm.imrworldwide.com has a chain of two CNAMEs ultimately pointing to secure-hongkong.imrworldwide.com. Secure-hongkong.imrworldwide.com has one IP number.

Per Robtex: https://www.robtex.com/dns-lookup/secure-drm.imrworldwide.com

Finally, IPVOID states 3.17.238.130 is not a valid IP address. Makes sense since it appears it is trying to directly access a backbone server. Appears something is screwed up DNS-wise.

Edited by itman
Link to comment
Share on other sites

I have a user that has also been getting this for a few days.  Turns out its Iheart.com.  She uses the website to play music instead of an I Heart Radio app and in the page source there are references to that site several times.  She first reported this yesterday, 2/14/2019.

The pop-up hits her desktop but doesn't register anything in the logs.

Link to comment
Share on other sites

1 hour ago, Wynot said:

Turns out its Iheart.com

The site itself is clean per URLVoid: https://www.urlvoid.com/scan/iheart.com/ .

When I connect using iheart.com, I end up at quickio.iheart.com with an IP address of 34.195.19.104. Interestingly, that also resolves to Amazon per Robtex: https://www.robtex.com/ip-lookup/34.195.19.104 .

The common theme to these alerts appears to be the connection to Amazon servers in the U.S.. Also I use EIS and are receiving no alerts on any of these connections.

-EDIT- Forgot to mention to did observe routing connections through the Amazon backbone servers.

Edited by itman
Link to comment
Share on other sites

Additional info, this is a Win 10 PC.  I have a Win 7 user who also connects to iheart.com and does not receive these alerts even though the same address is present in the source code.

Link to comment
Share on other sites

Marcos, I am still getting blocked from this on my clients machine. As of 2/15 updated engine/defs with same results. Please advise on how to unblock. User is getting frustrated with the constant pop-ups. They are using iheart in chrome browser. Thank you.

Link to comment
Share on other sites

  • Administrators
21 minutes ago, rshanwk said:

Marcos, I am still getting blocked from this on my clients machine. As of 2/15 updated engine/defs with same results. Please advise on how to unblock. User is getting frustrated with the constant pop-ups. They are using iheart in chrome browser. Thank you.

Please post the appropriate row from the Filtered websites log.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...