Results 1 to 14 of 14
  1. #1
    Silver Lounger Banyarola's Avatar
    Join Date
    Dec 2009
    Location
    Big Indian, New York
    Posts
    1,900
    Thanks
    19
    Thanked 65 Times in 54 Posts

    How to find out what Malwarebytes is blocking?

    Every now and then I get a block warning from Malwarebytes and never can figure out what exactly was blocked..

    Here's a screen shot of one I just got...
    This particular one I always get when reading a certain newspaper...

    Anyway to tell what is being blocked?


    IP-BLOCK 173.192.183.196 (Type: outgoing, Port: 52765, Process: iexplore.exe)
    "If You Are Reading This In English, Thank A VET"

  2. #2
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    9,434
    Thanks
    372
    Thanked 1,457 Times in 1,326 Posts
    Banyarola,

    It would appear that something running in iExplorer is trying to call home on port 52765. What, I don't have a clue.
    May the Forces of good computing be with you!

    RG

    PowerShell & VBA Rule!

    My Systems: Desktop Specs
    Laptop Specs

  3. #3
    Silver Lounger Banyarola's Avatar
    Join Date
    Dec 2009
    Location
    Big Indian, New York
    Posts
    1,900
    Thanks
    19
    Thanked 65 Times in 54 Posts
    Well RG, it seems it only happens on certain sites, mostly the one newspaper I read on-line.
    I never installed anything from them and my system is clean...

    Now that I think of it, whenever MalewareBytes blocks something it is always outgoing..

    Maybe someone else that reads this post will have an answer...
    "If You Are Reading This In English, Thank A VET"

  4. #4
    Gold Lounger
    Join Date
    Oct 2007
    Location
    Johnson City, Tennessee, USA
    Posts
    3,202
    Thanks
    37
    Thanked 215 Times in 202 Posts
    Quote Originally Posted by Banyarola View Post

    Maybe someone else that reads this post will have an answer...
    Banyarola,
    Hello.... maybe this attachment will help ? Regards Fred
    Attached Images Attached Images
    PlainFred

    None are so hopelessly enslaved as those who falsely believe they are free (J. W. Von Goethe)

  5. #5
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Calif
    Posts
    182
    Thanks
    0
    Thanked 14 Times in 13 Posts

    Lightbulb Malwarebytes Support Forums

    And why are you not asking on the Malwarebytes Support Forums, which would seem to be the best place for an answer to your question !?
    For the BEST in what counts in Life :

    http://www.ctftoronto.com

  6. #6
    Silver Lounger Banyarola's Avatar
    Join Date
    Dec 2009
    Location
    Big Indian, New York
    Posts
    1,900
    Thanks
    19
    Thanked 65 Times in 54 Posts
    Thanks Fred...I did that already.

    SW, the people on the MB forums are the same type of people as on here... I asked a question, I didn't ask directions...
    "If You Are Reading This In English, Thank A VET"

  7. #7
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    In addition to JPF's attachment, a look up on mxtoolbox.com indicates that IP is newcheapline_dot_info (url link obscured deliberately).

    Browsing to that under Linux rather than Windows (I might be daft sometimes, but I'm not entirely stupid!) reveals a login screen of a company by the name of RMM Online Advertising.

    I suspect the newspaper site you were reading was pushing adverts and was requesting data be sent back by Internet Explorer using the 52765 TCP/IP port. You could try open the site in Chrome or Firefox to see if you get the same result and perhaps consider adblocking extensions.
    Last edited by Tinto Tech; 2011-11-06 at 17:53. Reason: for clarity on mxtoolbox

  8. #8
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Quote Originally Posted by Banyarola View Post
    Anyway to tell what is being blocked?

    IP-BLOCK 173.192.183.196 (Type: outgoing, Port: 52765, Process: iexplore.exe)
    If Malwarebytes prevents the connection from happening, it probably does not have a copy of the request that would have been sent if the connection had been permitted.

    To find that information, you would need to look upstream toward the browser. Debugging tools such as Firebug or Microsoft's Fiddler2 proxy can capture all of the requests sent by the browser. Obviously, you may have to do some digging to find the one of interest.

    One complication is matching the IP address reported by Malwarebytes to the request. Unless the request was directed to the server at its IP address, you would need to translate between the IP address and the host name. Does Windows cache its DNS lookups somewhere?

    There probably is a tool that is aware of both the browser's requests and the requests that emanate from the operating system's IP stack in response to the request and can match them up, but I've never used one.

  9. #9
    Silver Lounger Banyarola's Avatar
    Join Date
    Dec 2009
    Location
    Big Indian, New York
    Posts
    1,900
    Thanks
    19
    Thanked 65 Times in 54 Posts
    Quote Originally Posted by jscher2000 View Post

    There probably is a tool that is aware of both the browser's requests and the requests that emanate from the operating system's IP stack in response to the request and can match them up, but I've never used one.
    Well JS, thanks for the time and effort you took to reply but I think I won't bother trying to pursue because it's not that important and I really don't know what the heck you are talking about!
    "If You Are Reading This In English, Thank A VET"

  10. #10
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    Just a footnote, then. Your browser sends a request to Windows for a page. Windows has to look up the corresponding IP address (DNS resolution), then it sends a connect request to the server. Only when the server accepts the connection is the actual request for the web page sent. (If you want to read up on this, look for info on the SYN-ACK handshake.)

  11. #11
    Lounger
    Join Date
    Dec 2009
    Location
    Central Coast, NSW, Australia
    Posts
    26
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Whenever I see this type of message come up, I'm thankful I have MW working full-time. They nearly always occur when I've strayed onto a less than reputable site.

  12. #12
    2 Star Lounger
    Join Date
    Feb 2010
    Location
    Coon Rapids, Mn
    Posts
    199
    Thanks
    22
    Thanked 4 Times in 4 Posts
    Quote Originally Posted by Perrorist View Post
    Whenever I see this type of message come up, I'm thankful I have MW working full-time. They nearly always occur when I've strayed onto a less than reputable site.
    I use FF, almost exclusively, and a handful of standalone security tools as opposed to a suite. Comodo Dragon is VERY good at blocking suspect outbound or inbound requests. Better safe than sorry, so Web of Trust, WOT, is a must have on any system I use. They don't know everything but they do know a lot, I do ignore their advice but rarely, you might try that and see how that site is rated and what WOT knows about it. And google advanced search is invaluable in finding answers to obscure questions ask what is and that IP address, which brings up a link to WHOIS a database of all IP's, including contact information, email addy for the web master. You can play with the results, honing them if you will, to find out more - there is a website attached to that address that you can search on too. Love puzzles. I used to use Whois a lot back in the days before spam filters got to be as good as they are to track down spammers and email their webmaster, don't do that anymore because I get a piece of spam only a couple times a week these days - got wiser about who I share information with as I got older and those disposable email addresses are quite helpful too. :^)

  13. #13
    New Lounger
    Join Date
    Aug 2011
    Posts
    17
    Thanks
    0
    Thanked 1 Time in 1 Post
    It's apparently something called Softlayer Technologies in Dallas. http://www.networksolutions.com/whoi...73.192.183.196

  14. #14
    Silver Lounger Banyarola's Avatar
    Join Date
    Dec 2009
    Location
    Big Indian, New York
    Posts
    1,900
    Thanks
    19
    Thanked 65 Times in 54 Posts
    Well Perriost, I occasionally get the message on reputable sites like newspaper etc and I only go to reputable sites...
    "If You Are Reading This In English, Thank A VET"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •