27 replies to this topic

[daledoc1]

Hi:

For past few days, getting occasional (few times per day) IP blocks to the same 2 IPs.

Yesterday and early this AM, I had Firefox 11 open to THIS website (MBAM forums) & to my home page (www.huffingtonpost.com):
199.27.135.184 (port 59615, process avp.exe)
141.101.124.185 (port 59617, process avp.exe)
I assumed it might be some ad content on huffpost, even though I run ABP and NoScript.

Just now, the only browser tab open was this MBAM forums page, so that eliminates huffpost as the source:
199.27.135.184 (port 58894, process avp.exe)
141.101.124.185 (port 589946, process avp.exe)

Blocks do not occur without browsers open, and have only started within the past day or so.
I can have a tab open for this website for several hours without a block occurring.
I noticed a similar block on my laptop a few days ago on the same sites, but assumed at the time it was also ad content on huffpost.
I have not powered up the system in a few days to re-evaluate if it's the same IPs.

Scans with MBAM, KIS2012 and SAS are all clean.
No symptoms of infection.
Both rigs are fully patched.
No new software or firefox extensions.
I am behind a hardware firewall, as well.

Will fire up the laptop to see if it's the same detections/blocks.

Please advise.

Thanks!

daledoc1

Attached Files

•  protection-log-2012-04-12.txt   11.09K   2 downloads
•  protection-log-2012-04-13.txt   6.6K   1 downloads

[MysteryFCM]

It's not an F/P and is being worked on.

[daledoc1]

Hi, MysteryFCM:

Thanks for the quick reply.

Sorry, but I don't quite understand your reply.

If it's NOT a FP, do I need to do anything further?
(TCPview didn't reveal anything.)

[MysteryFCM]

If you're loading sites on those IPs yourself, you likely needn't worry. Else, I'd suggest getting it checked just in case.

[daledoc1]

OK, thanks.
Have submitted a ticket to the help desk.

But, just curious: what did you mean when you said it "is being worked on"?

[MysteryFCM]

I'm trying to work with CloudFlare.

[daledoc1]

Ahhh, now I (think I) understand.
Or, as they used to say: "I see," said the blind (wo)man, as (s)he picked up his/her hammer and SAW!

I hadn't been following all those "CloudFlare" FP threads.

Oddest thing, though, is that I'm pretty sure at least one of the times I got the block, the ONLY tab/site I had loaded was the MBAM forum page.

Well, I'll see what the helpdesk says when they review my scan logs.

Thanks for your time and expertise and patience!

daledoc1

[MysteryFCM]

No problem.

[dlewbell]

I just received the same IP block though Firefox:
141.101.124.185 (Type: outgoing, Port: 50869, Process: firefox.exe)
199.27.135.184 (Type: outgoing, Port: 50870, Process: firefox.exe)
These showed up with only Facebook & Cracked open at the time.
I also had a third one that I've found through a quick check:
184.82.146.118 (Type: outgoing, Port: 65506, Process: firefox.exe)
I've seen them show up before, but just now thought to check on it.
For what it's worth, I'm running Windows 7, & using Firefox with Adblock Plus. I'm on a Sony computer & haven't taken the time to remove all of the default Sony software yet.

[Rompin Raider]

I get the same issue everytime I open the Chrome browser without selecting anything else. As you said, it started a few days ago. Thanks

[sperril]

You are probably running Adblock and are using Fanboy's list as one of your filters. Adblock is attempting to update the list which is causing the response by mbam. Until this is sorted out, I would suggest using a different filter.

[daledoc1]

sperril, on 16 April 2012 - 12:54 PM, said:

You are probably running Adblock and are using Fanboy's list as one of your filters. Adblock is attempting to update the list which is causing the response by mbam. Until this is sorted out, I would suggest using a different filter.

Hello and welcome, sperril:

Yes, I think you may be on to something!

Yes, I do run ABP with Fanboy's filter list as one of my subscriptions in Fx on both my rigs.
Although neither Fx nor my extensions themselves are configured to auto-update, I suspect you might be correct and ABP is trying to phone home to update the filters (in this case, Fanboy's list).

This would also explain the highly intermittent nature of the block (no more than a few times in 24 hours), why it seems not to matter what website is loaded, and why even Chrome users are experiencing this (I think there is an ABP extension for Chrome)?

All scans on both computers are clean and there are no other suggestions of infection.
Moreover, this all started with the CloudFlare "issue" a week or so ago.

I hope this might be the key our MBAM pros need to unravel and resolve this.

Thanks!

daledoc1

[sperril]

daledoc1, on 16 April 2012 - 01:21 PM, said:

Hello and welcome, sperril:

Yes, I think you may be on to something!

Yes, I do run ABP with Fanboy's filter list as one of my subscriptions in Fx on both my rigs.
Although neither Fx nor my extensions themselves are configured to auto-update, I suspect you might be correct and ABP is trying to phone home to update the filters (in this case, Fanboy's list).

This would also explain the highly intermittent nature of the block (no more than a few times in 24 hours), why it seems not to matter what website is loaded, and why even Chrome users are experiencing this (I think there is an ABP extension for Chrome)?

All scans on both computers are clean and there are no other suggestions of infection.
Moreover, this all started with the CloudFlare "issue" a week or so ago.

I hope this might be the key our MBAM pros need to unravel and resolve this.

Thanks!

daledoc1

You can, of course, verify this by performing a manual update of your adblock filters and check to see how mbam responds.

With your brower's pane selected, use Ctrl-Shift-F to open up your filters list. From the "actions" dropdown next to your filter, select "update filters." Then see how mbam responds. You may also note that the filter list shows the last download and the results of the last update attempt. Failed downloads are a good sign that something is getting blocked.

[MysteryFCM]

Just a note guys. Fanboy's filter is the cause of the alerts, for those using it, but it's not the cause of the blocks being in place in the first place. That's an entirely different and unrelated, issue.

[sperril]

MysteryFCM, on 16 April 2012 - 01:48 PM, said:

Just a note guys. Fanboy's filter is the cause of the alerts, for those using it, but it's not the cause of the blocks being in place in the first place. That's an entirely different and unrelated, issue.

Right on. I guess I should have made that more clear. Nothing wrong at all with Fanboy's filter.

The problem is that the update attempts are going through Cloudflare.

And thanks for sticking to your guns on this issue.

[daledoc1]

I see!

So, if I understand all of this correctly, until the CF issue is resolved, we need to proceed with one of several options:
1) Ignore the IP blocks for now; or
2) Disable Fanboy's list in ABP for now; or
3) Turn off auto-updating in ABP (which I think might disable auto-updating of the other filter subscriptions?); or
4) Unsubscribe from Fanboy's list in ABP for now (resubscribe after the CF issue is resolved)?

Thanks all,

daledoc1 (relieved that "problem is not with your TV set", as they used to say )

Attached Files

•  4-16-2012 2-09-14 PM.png   60.83K   2 downloads

[daledoc1]

Update:

Well, I tried merely disabling the Fanboy filter sub within ABP in Fx.

However, when I powered up my desktop system today, shortly after opening Fx to my home page, I got another block at the same IPs as previously.
When I checked in Fx -> ABP -> options, sure enough, not only had the Easy List (successfully) updated, but Fanboy's list had made an unsuccessful update attempt with a time stamp that matches the IP block.

UGH.

So, I have uninstalled the Fanboy list & will stick with the other filter subscription for now, until this CF issue is sorted.
I can certainly tolerate the occasional IP block, since I know the origin thereof.
It is, however rather annoying.
I sure hope Fanboy will consider moving from CF or finding another suitable solution.

Fingers crossed,

daledoc1

[fivealive]

turns out this was my issue as well the fanboy filter for ABP

[MysteryFCM]

Just a note folks, the blocks have been temporarily removed, at least until the report is finished.

[daledoc1]

MysteryFCM, on 18 April 2012 - 10:29 AM, said:

Just a note folks, the blocks have been temporarily removed, at least until the report is finished.

Thanks, MysteryFCM:

I had already uninstalled the FB filter list from ABP in both Fx and TB on both my rigs.
(That halted the IP blocks, even before you removed the block.)

I guess I'll wait a while longer for the dust to settle before resubscribing to Fanboy's filter subscription.

Thanks VERY MUCH for your time and effort to get this sorted,

daledoc1