Jump to content


Photo

IP-BLOCK 209.85.147.105


  • Please log in to reply
12 replies to this topic

#1 ottchris

ottchris

    New Member

  • Members
  • Pip
  • 16 posts
  • Gender:Male

Posted 18 February 2012 - 07:59 AM

209.85.147.105 being blocked this morning. Apps involved are Rainlender and Chrome.

Reverse Lookup gives:
209.85.147.105 PTR record: bru01m01-in-f105.1e100.net. [TTL 86400s] [A=209.85.147.105]

Whois 1e100.net gives:


MarkMonitor is the Global Leader in Enterprise Brand Protection.

Domain Management
MarkMonitor Brand Protection™
AntiFraud Solutions
Corporate Consulting Services

Visit MarkMonitor at www.markmonitor.com
Contact us at 1 800 745 9229
In Europe, at +44 (0) 20 7840 1300

Registrant:
DNS Admin
Google Inc.
1600 Amphitheatre Parkway
Mountain View CA 94043
US
*********@google.com +1.6502530000 Fax: +1.6506188571

Domain Name: 1e100.net

End partial quote.

Any info as to why this is being blocked?

Regards,

Chris

#2 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,398 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 18 February 2012 - 02:08 PM

This isn't an F/P I'm afraid. This IP is housing a plethora of Blackhole exploit sites.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#3 ottchris

ottchris

    New Member

  • Members
  • Pip
  • 16 posts
  • Gender:Male

Posted 18 February 2012 - 02:29 PM

This isn't an F/P I'm afraid. This IP is housing a plethora of Blackhole exploit sites.


With respect, the above is less than helpful. I was in the middle of replying to my own post when your response appeared. Here is that reply:

Begin Quote.

The blocking events are still occurring and I should emphasize that they are not the direct result of any action on my part. Firefox has entered the scene with one event. According to firewall log one record matching a Malwarebytes blocking event is "

18:10:13 RAINLENDAR2.EXE OUT TCP 209.85.147.104 443 *Allow Outbound TCP to HTTPS for RAINLENDAR2.EXE 939 4305" Note the IP address is 209.85.147.104 whereas the Malwarebytes log reports the block as 209.85.147.105.

Google appears to be the common factor between the three applications involved; Chrome for obvious reasons, Rainlender2 acesses Google Calender and Firefox has Google Earth and Google Update Plugins installed.

One final piece of info and that is I use OpenDNS for name resolution.

End Quote.

When did Malwarebytes start blocking that IP address? Rainlender2 runs on my system every day and the blocking only started this morning (as an aside and as it happens a scheduled full Malwarebytes scan took place last night and was clean).

Chris

#4 Dianno

Dianno

    New Member

  • Members
  • Pip
  • 1 posts

Posted 18 February 2012 - 02:29 PM

The same IP was blocked for me too while just browsing youtube.

#5 ottchris

ottchris

    New Member

  • Members
  • Pip
  • 16 posts
  • Gender:Male

Posted 18 February 2012 - 02:33 PM

The same IP was blocked for me too while just browsing youtube.


Good, evidence wise that is. Suggests that blocking that IP (or group of addresses?) is going to hit a number of Google services.

#6 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,398 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 18 February 2012 - 02:43 PM

The problem here, is that it's not just a single domain, it's multiple domains. The block has been in effect since this morning as trying to reach Google, is less than easy (e-mail bounces and/or is ignored (depending on the address it is sent to), phone numbers just tell you to e-mail them etc).

Once the malicious content is removed, the block will be removed. In the meantime, I'm still trying to reach Google.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#7 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,398 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 18 February 2012 - 02:43 PM

Good, evidence wise that is. Suggests that blocking that IP (or group of addresses?) is going to hit a number of Google services.


We're only blocking the single IP housing the content.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#8 ottchris

ottchris

    New Member

  • Members
  • Pip
  • 16 posts
  • Gender:Male

Posted 18 February 2012 - 02:59 PM

The problem here, is that it's not just a single domain, it's multiple domains. The block has been in effect since this morning as trying to reach Google, is less than easy (e-mail bounces and/or is ignored (depending on the address it is sent to), phone numbers just tell you to e-mail them etc).

Once the malicious content is removed, the block will be removed. In the meantime, I'm still trying to reach Google.


Understood and fair enough. It's doesn't appear critical for me at the moment but that may not be the case for others.

Many thanks,

Chris

#9 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,398 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 18 February 2012 - 03:02 PM

No problem.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#10 channeal

channeal

    New Member

  • Members
  • Pip
  • 1 posts

Posted 19 February 2012 - 10:43 AM

This is still a problem for me. The problem is that I cannot search for anything on Google......... extremely annoying!

Chris.

#11 fletch

fletch

    New Member

  • Members
  • Pip
  • 11 posts

Posted 19 February 2012 - 12:55 PM

I get the same when opening The "HowToGeek" site

#12 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,398 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 19 February 2012 - 01:01 PM

Whilst it is a Google IP, none of Googles services themselves, are known to use it.

/edit

It looks like Googles admins are playing silly buggers now as the google domains are now bouncing round various IPs on 209.85.147.0/24. I'll get this unblocked.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#13 fletch

fletch

    New Member

  • Members
  • Pip
  • 11 posts

Posted 19 February 2012 - 01:08 PM

Thanks for the feedback




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users