Author Topic: Threat blocked, how to find out what program or browser is trying to access web  (Read 3683 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
L.S.,

One of the oldest tricks in the book, DNS manipulation and therefore abuse is blacklisted:
https://github.com/NethServer/dns-community-blacklist/blob/master/adguarddns.dns
and failed to load the resource, getting a 403 from cloudflarenet.us ->https://urlscan.io/ip/2606:4700:3034::6815:2feb

Address only resolves from Jacksonville, USA, as 104.21.47.235 and 172.67.174.123 and servers from Berlin, Madrid in Spain, Stockholm Sweden, Copenhagen, Kuala Lumpur, Bangkok, Buenes Aires, Lagos Nigeria. That is all we know, wait for a final verdict from Avast Team, they command their detections and flag and blacklist.

polonus (volunteer third party cold reconnaissance website security analyst and website error-hunter)
« Last Edit: July 16, 2022, 04:33:10 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline joesampson69

  • Newbie
  • *
  • Posts: 9
There have been 8 new threats blocked all from a new url koocoofydotcom url:phishing. Thats a total of 18 so far in about 24 hours.
sitecheck.sucuri.net/results/koocoofy.com/boajdtd.json


At the bottom of the threat warnings there is an Alert ID. That says the support team can use to these to better understand my alerts. Is this just for Avasts internal use or can they use to help pinpoint my issues?

These are the alert id's for some of these new threats
4fec997ce794/2022-07-16T21:30:41.921Z
6a5462f7a18d/2022-07-16T21:30:42.309Z
6d803819c401/2022-07-16T21:30:42.467Z
3b391982963c/2022-07-16T21:30:43.078Z


Thank you to everyone who has helped!!!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87085
  • No support PMs thanks
To those who have responded in this topic these id's are of no help, it may be of help to members of the Virus Labs Team, but their activity in the forums is limited.  As Avast Users we are limited in what we can do.

However, something is using your browser to connect to these malicious (or so avast thinks) sites.  Which is why I suggest you check your extensions/add-ons or a browser reset. 

I can only guess you haven't tried either ?
- another option would to run the browsers extensions/add-ons disabled.
See - https://www.google.co.uk/search?q=how+to+run+chrome+with+extensions+disabled
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
That IP was also blocked by Sophos as given here: https://www.abuseipdb.com/check/139.45.197.151
Re: https://www.shodan.io/host/139.45.197.151

7 av-vendors to detect: https://www.virustotal.com/gui/url/58dac947fe476c6ca252992fe16b2399d350a2d4e2796a65a28f26f1acd90ce1?nocache=1

Quite some domain range to check and eventually block;
see: : https://api.hackertarget.com/reverseiplookup/?q=139.45.197.151

Another malicious one: https://www.virustotal.com/gui/domain/watchmytopapp.top (flagged by Heimdahl).
Not scanned: https://sitecheck.sucuri.net/results/watchmytopapp.top

RETN Limited should watch their domains and accordingly should be watched by security solutions for abuse.

polonus
« Last Edit: July 17, 2022, 04:04:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!