12 replies to this topic

[ottchris]

209.85.147.105 being blocked this morning. Apps involved are Rainlender and Chrome.

Reverse Lookup gives:
209.85.147.105 PTR record: bru01m01-in-f105.1e100.net. [TTL 86400s] [A=209.85.147.105]

Whois 1e100.net gives:


MarkMonitor is the Global Leader in Enterprise Brand Protection.

Domain Management
MarkMonitor Brand Protection™
AntiFraud Solutions
Corporate Consulting Services

Visit MarkMonitor at www.markmonitor.com
Contact us at 1 800 745 9229
In Europe, at +44 (0) 20 7840 1300

Registrant:
DNS Admin
Google Inc.
1600 Amphitheatre Parkway
Mountain View CA 94043
US
*********@google.com +1.6502530000 Fax: +1.6506188571

Domain Name: 1e100.net

End partial quote.

Any info as to why this is being blocked?

Regards,

Chris

[MysteryFCM]

This isn't an F/P I'm afraid. This IP is housing a plethora of Blackhole exploit sites.

[ottchris]

MysteryFCM, on 18 February 2012 - 02:08 PM, said:

This isn't an F/P I'm afraid. This IP is housing a plethora of Blackhole exploit sites.

With respect, the above is less than helpful. I was in the middle of replying to my own post when your response appeared. Here is that reply:

Begin Quote.

The blocking events are still occurring and I should emphasize that they are not the direct result of any action on my part. Firefox has entered the scene with one event. According to firewall log one record matching a Malwarebytes blocking event is "

18:10:13 RAINLENDAR2.EXE OUT TCP 209.85.147.104 443 *Allow Outbound TCP to HTTPS for RAINLENDAR2.EXE 939 4305" Note the IP address is 209.85.147.104 whereas the Malwarebytes log reports the block as 209.85.147.105.

Google appears to be the common factor between the three applications involved; Chrome for obvious reasons, Rainlender2 acesses Google Calender and Firefox has Google Earth and Google Update Plugins installed.

One final piece of info and that is I use OpenDNS for name resolution.

End Quote.

When did Malwarebytes start blocking that IP address? Rainlender2 runs on my system every day and the blocking only started this morning (as an aside and as it happens a scheduled full Malwarebytes scan took place last night and was clean).

Chris

[Dianno]

The same IP was blocked for me too while just browsing youtube.

[ottchris]

Dianno, on 18 February 2012 - 02:29 PM, said:

The same IP was blocked for me too while just browsing youtube.

Good, evidence wise that is. Suggests that blocking that IP (or group of addresses?) is going to hit a number of Google services.

[MysteryFCM]

The problem here, is that it's not just a single domain, it's multiple domains. The block has been in effect since this morning as trying to reach Google, is less than easy (e-mail bounces and/or is ignored (depending on the address it is sent to), phone numbers just tell you to e-mail them etc).

Once the malicious content is removed, the block will be removed. In the meantime, I'm still trying to reach Google.

[MysteryFCM]

ottchris, on 18 February 2012 - 02:33 PM, said:

Good, evidence wise that is. Suggests that blocking that IP (or group of addresses?) is going to hit a number of Google services.

We're only blocking the single IP housing the content.

[ottchris]

MysteryFCM, on 18 February 2012 - 02:43 PM, said:

The problem here, is that it's not just a single domain, it's multiple domains. The block has been in effect since this morning as trying to reach Google, is less than easy (e-mail bounces and/or is ignored (depending on the address it is sent to), phone numbers just tell you to e-mail them etc).

Once the malicious content is removed, the block will be removed. In the meantime, I'm still trying to reach Google.

Understood and fair enough. It's doesn't appear critical for me at the moment but that may not be the case for others.

Many thanks,

Chris

[MysteryFCM]

No problem.

[channeal]

This is still a problem for me. The problem is that I cannot search for anything on Google......... extremely annoying!

Chris.

[fletch]

I get the same when opening The "HowToGeek" site

[MysteryFCM]

Whilst it is a Google IP, none of Googles services themselves, are known to use it.

/edit

It looks like Googles admins are playing silly buggers now as the google domains are now bouncing round various IPs on 209.85.147.0/24. I'll get this unblocked.

[fletch]

Thanks for the feedback