Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[dragonshardz]

Okay, so this is very, very odd. For some reason, my Java install (specifically, javaw.exe) keeps trying to connect to the IP address 68.178.232.99 or to web pages at that address (for example, 68.178.232.99/pilot-operated-solenoid-valve.html).

THANKFULLY, my Antivirus blocks the connection as a Malicious URL, but here's what is making me scratch my head in confusion: An IP lookup shows the server to be located here in Mesa and to be owned by GoDaddy - and that the IP address is connected to some site called secureserver.net

Upon further searching, it seems that the site isn't even UP and running - go there, and you're greeted with a "This is site is currently not available" message.

Thoughts?

IP Lookup Site - This is what I used to get all the information I have.

[Angel Of Death]

Java is pretty much a gateway to viruses for your computer. All my viruses have been from Java.

[Virex]

The IP address is definitely up, I can ping it just fine.

[RedKing]

The site is a secure mailserver operated by GoDaddy under their SecureServer.net brand. The server itself is up, there's just no webpage associated with it because it's an SMTP server.

Couple of possibilites:
1. Their SMTP server is compromised and you've got the client half of the zombiebot.
2. It's a piece of malicious code that uses randomizing and a shotgun approach. In other words, it keeps making attempts to a sequence of IP addresses and predetermined URL names. This is designed to work in conjunction with another worm that randomly tries to create those HTML documents on as many servers as it can compromise. The idea is that eventually the two pieces will spread enough that a random combination of IP and HTML doc will actually hit an infected machine and trigger whatever the NEXT stage is. yes, it's the virus equivalent of brute forcing, but with umpteen million clients out there, it's a fire-and-forget sort of attack.

I'd clear your Java cache entirely annd run a full scan. Hell, maybe even uninstall and reinstall Java itself to make sure it didn't infect some of the core JARs.

[Fayrik]

Hell, maybe even uninstall and reinstall Java itself to make sure it didn't infect some of the core JARs.

Fix'd! (Ho ho ho!)

[dragonshardz]

I've uninstalled and reinstalled Java already - and I'd leave it uninstalled, but it'd be damn hard to play Minecraft. Anyway, the nastiness has persisted.

As far as I can tell, RedKing, either option is more likely - though it's only attempting to connect to IP addresses. If I knew a way to look at the history of exactly what attempted connections Avast! has blocked, I'd be able to tell more definitively which of the two it is.

AS for virus scans, I've run a quick scan with MBAM and it hasn't caught it - I'll run a full scan with both MBAM and Avast! today while I'm at church.

[dragonshardz]

Updoot: Avast! just caught (and blocked) about 20 different attempts to connect to various URLs at that IP address and that IP address only. Looks like Option 1, infected server and I have the client end, is the most likely.

[MetalSlimeHunt]

On the subject of Java, I haven't had any virus issues because of it ever since I told Kaspersky to let it run but limit hazardous operations from it.