Jump to content
Hijin25

IP blocking in GOG Galaxy

Recommended Posts

Greetings.

I have been using GOG galaxy for several years without any problem. But today, when starting the download of a game, EIS blocked the connection with this message;

Time; 03/25/2019 08:32:19 p.m.
URL; https://cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net
State; Blocked by internal IP blacklist
Application; C: \ Program Files (x86) \ GOG Galaxy \ GalaxyClient.exe
IP adress; 54.39.176.22
SHA1; A8B71843C86F1A71427BF91A70A7DD6F89265F6F

Is it a genuine block or a false positive?

Analyze the URL in virustotal and all the analyzes show that it is a clean site.

Also analyze the IP, and only Eset and two more antivirus detect it as malware.

Thanks in advance for any

Share this post


Link to post
Share on other sites

For me cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net doesn't resolve at all.

Share this post


Link to post
Share on other sites

Thanks for answering.

Well that's the URL that the ESET warning message threw at me.

Today I tried again the download and I could do it without problems . What could have caused the blockade?

Share this post


Link to post
Share on other sites
9 hours ago, Marcos said:

For me cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net doesn't resolve at all.

Same here, doesn't resolve in IE11.

The IP address resolves to OVH Hosting which appears to be a domain server. My guess is the domain in question has been removed from it.

Share this post


Link to post
Share on other sites

Today I returned to analyze the IP in virustotal, and now ESET no longer detects it as malicious, I suppose then that it was a "lapse" of the antivirus.

I worried a lot, since I usually shop from GOG galaxy.

Share this post


Link to post
Share on other sites

I tried again to connect to https://cdn-edge-dynamic-1-bhs-ca-ovh.gogcdn.net using IE11. It failed gain.

Submitted the URL to QUALS SSL Server test for a scan and it wouldn't resolve there either. As far as the VT scan of it, it doesn't verify the URL as to routing ability. It only verifies if any of the AV engines there have it blacklisted.

Share this post


Link to post
Share on other sites

Now this is interesting.

I submitted IP Address, 54.39.176.22 , to IPVoid for a scan. All the rep scanners there state it is probably clean. When I selected the very first scanner there, AlienVault, for further details, I was greeted with this:

54.39.176.22 is a threat to your network!

Don't know if they are phishing for my e-mail address which is required to receive a detailed threat report, or what.

Share this post


Link to post
Share on other sites
Posted (edited)
10 hours ago, Hijin25 said:

This is very confusing to me, if it is dangerous why ESET gets it out of the blacklist?

The IP address points to an Internet Domain server. All these do is resolve URL to IP address. As such, most Internet reputational scanners would exclude them from consideration.

As said repeatedly, the URL doesn't resolve and therefore cannot be routed to a valid connection.

One possible explanation as to what is going on is you're using some type of tunnel network connection such as Tor or a VPN to connect to the game server. This bypassed the Internet backbone routing mechanism by establishing a direct point-to-point network connection.

Edited by itman

Share this post


Link to post
Share on other sites
Posted (edited)

FYI.

Quote

GOG Galaxy Game Launcher Vulnerable to Privilege Escalation Attacks

GOG Galaxy contains six severe vulnerabilities that permit privilege escalation and arbitrary code execution.

  • Most of the vulnerabilities concern the macOS version of the game launcher, but Windows users aren’t entirely safe either.
  • GOG Galaxy accounts for around 10% to 20% of digital game sales, so attackers have a lot of potential unpatched targets.

Cisco Talos researchers have analyzed GOG Galaxy video game launcher version 1.2.48.36, and found that this version number, and most probably all of the recent ones that came before it are vulnerable to various types of malicious attacks that result in remote privilege escalation and arbitrary code execution.

https://www.technadu.com/gog-galaxy-launcher-vulnerable-privilege-escalation-attacks/62961/

Edited by itman

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

The IP address points to an Internet Domain server. All these do is resolve URL to IP address. As such, most Internet reputational scanners would exclude them from consideration.

As said repeatedly, the URL doesn't resolve and therefore cannot be routed to a valid connection.

One possible explanation as to what is going on is you're using some type of tunnel network connection such as Tor or a VPN to connect to the game server. This bypassed the Internet backbone routing mechanism by establishing a direct point-to-point network connection.

As far as I know, I do not use anything he mentions.

18 minutes ago, itman said:

This is worrying, I hope ESET will help me mitigate these threats. As I mentioned was the only one of the renowned antivirus that blocked the connection to that IP, I prefer a "paranoid" antivirus than a permissive one.

Thank you for your assistance.

Share this post


Link to post
Share on other sites
1 hour ago, Hijin25 said:

I hope ESET will help me mitigate these threats

Make sure your software is updated to the latest version available. Cisco indicated in their detailed write-up that GOG Galaxy has patched the software against these vulnerabilities.

Share this post


Link to post
Share on other sites

The platform is updated, now in verison 1.2.54. The version mentioned in the article is from mid-November 2018.

In the GOG technical support, they just thanked me for reporting the incident. XD.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...