Bay 12 Games Forum

Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Malicious IP Address  (Read 1767 times)

dragonshardz

  • Bay Watcher
  • [ETHIC:PONY:ACCEPTABLE]
    • View Profile
    • Steam Profile
Malicious IP Address
« on: April 02, 2011, 09:26:25 am »

Okay, so this is very, very odd. For some reason, my Java install (specifically, javaw.exe) keeps trying to connect to the IP address 68.178.232.99 or to web pages at that address (for example, 68.178.232.99/pilot-operated-solenoid-valve.html).

THANKFULLY, my Antivirus blocks the connection as a Malicious URL, but here's what is making me scratch my head in confusion: An IP lookup shows the server to be located here in Mesa and to be owned by GoDaddy - and that the IP address is connected to some site called secureserver.net

Upon further searching, it seems that the site isn't even UP and running - go there, and you're greeted with a "This is site is currently not available" message.

Thoughts?

IP Lookup Site - This is what I used to get all the information I have.

Angel Of Death

  • Bay Watcher
  • Karl Groucho?
    • View Profile
Re: Malicious IP Address
« Reply #1 on: April 02, 2011, 09:38:14 am »

Java is pretty much a gateway to viruses for your computer. All my viruses have been from Java.
Logged
99 percent of internet users add useless, pulled out of arse statistics to their sig. If you are the 1%, please, for the love of Armok, don't put any useless shit like this in your sig.
Hidden signature messages are fun!

Virex

  • Bay Watcher
  • Subjects interest attracted. Annalyses pending...
    • View Profile
Re: Malicious IP Address
« Reply #2 on: April 02, 2011, 09:43:20 am »

The IP address is definitely up, I can ping it just fine.
Logged

RedKing

  • Bay Watcher
  • hoo hoo motherfucker
    • View Profile
Re: Malicious IP Address
« Reply #3 on: April 02, 2011, 09:47:26 am »

The site is a secure mailserver operated by GoDaddy under their SecureServer.net brand. The server itself is up, there's just no webpage associated with it because it's an SMTP server.

Couple of possibilites:
1. Their SMTP server is compromised and you've got the client half of the zombiebot.
2. It's a piece of malicious code that uses randomizing and a shotgun approach. In other words, it keeps making attempts to a sequence of IP addresses and predetermined URL names. This is designed to work in conjunction with another worm that randomly tries to create those HTML documents on as many servers as it can compromise. The idea is that eventually the two pieces will spread enough that a random combination of IP and HTML doc will actually hit an infected machine and trigger whatever the NEXT stage is. yes, it's the virus equivalent of brute forcing, but with umpteen million clients out there, it's a fire-and-forget sort of attack.

I'd clear your Java cache entirely annd run a full scan. Hell, maybe even uninstall and reinstall Java itself to make sure it didn't infect some of the core JARs.

Logged

Remember, knowledge is power. The power to make other people feel stupid.
Quote from: Neil DeGrasse Tyson
Science is like an inoculation against charlatans who would have you believe whatever it is they tell you.

Fayrik

  • Bay Watcher
    • View Profile
Re: Malicious IP Address
« Reply #4 on: April 02, 2011, 09:56:39 am »

Hell, maybe even uninstall and reinstall Java itself to make sure it didn't infect some of the core JARs.
Fix'd! (Ho ho ho!)
Logged
So THIS is how migrations start.
"Hey, dude, there's this crazy bastard digging in the ground for stuff. Let's go watch."

dragonshardz

  • Bay Watcher
  • [ETHIC:PONY:ACCEPTABLE]
    • View Profile
    • Steam Profile
Re: Malicious IP Address
« Reply #5 on: April 02, 2011, 10:15:37 am »

I've uninstalled and reinstalled Java already - and I'd leave it uninstalled, but it'd be damn hard to play Minecraft. Anyway, the nastiness has persisted.

As far as I can tell, RedKing, either option is more likely - though it's only attempting to connect to IP addresses. If I knew a way to look at the history of exactly what attempted connections Avast! has blocked, I'd be able to tell more definitively which of the two it is.

AS for virus scans, I've run a quick scan with MBAM and it hasn't caught it - I'll run a full scan with both MBAM and Avast! today while I'm at church.

dragonshardz

  • Bay Watcher
  • [ETHIC:PONY:ACCEPTABLE]
    • View Profile
    • Steam Profile
Re: Malicious IP Address
« Reply #6 on: April 02, 2011, 10:54:15 am »

Updoot: Avast! just caught (and blocked) about 20 different attempts to connect to various URLs at that IP address and that IP address only. Looks like Option 1, infected server and I have the client end, is the most likely.

MetalSlimeHunt

  • Bay Watcher
  • Gerrymander Commander
    • View Profile
Re: Malicious IP Address
« Reply #7 on: April 02, 2011, 11:31:52 am »

On the subject of Java, I haven't had any virus issues because of it ever since I told Kaspersky to let it run but limit hazardous operations from it.
Logged
Quote from: Thomas Paine
To argue with a man who has renounced the use and authority of reason, and whose philosophy consists in holding humanity in contempt, is like administering medicine to the dead, or endeavoring to convert an atheist by scripture.
Quote
No Gods, No Masters.