|
Well I'd have to be if I were living in the wild wild west.
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
Even the grown ups?
"It is easy to decipher extraterrestrial signals after deciphering Javascript and VB6 themselves.", ISanti[ ^]
|
|
|
|
|
I'm a-Frida so.
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
Yet no one writes to colonel?
"It is easy to decipher extraterrestrial signals after deciphering Javascript and VB6 themselves.", ISanti[ ^]
|
|
|
|
|
Since yesterday afternoon ESET a/v has been reporting that it has blocked access to 7g6njejx.com, roughly every ten minutes. That domain name does not exist, but ESET also gives me the IP. The IP given cycles through five addresses - and every one points to Amazon on every IP check site I can find - specifically the Amazon in Ashburn, Virginia on amazonaws.com. It has three goes in every session to connect, and then ten minutes later tries another of the five IPs.
At first I thought it might be related to MS Outlook, as that downloads every ten minutes, but it isn't. I can't see anything likely in Task Manager either.
Anybody seen this before, or have any idea what is going on? Even if all my browsers are closed, it still keeps popping up - AND IT'S DRIVING ME CRAZY*!!!!!!
* Well, OK, crazier, then.
|
|
|
|
|
running as a chron job?
Lou
If you can keep your head while those about you are losing theirs, perhaps you don't understand the situation.
|
|
|
|
|
No - first thing I checked.
|
|
|
|
|
I'm also using ESET and i got this pop up also. What the hell is going on?
|
|
|
|
|
I had exactly the same issue since today.
I ran a full ESET scan - nothing.
I ran a full Malwarebytes scan - nothing.
I ran a full Search&Destroy scan - nothing.
Yet the ESET popups about blocked access to 7g6njejx.com kept coming.
When I checked the ESET logs it reported this as a JS/Redirector.NDS trojan.
The traffic was caused by ExpressVPN executable in my case, specifically:
C:\Program Files (x86)\ExpressVPN\xvpnd\xvpnd.exe
I uninstalled ExpressVPN but the issue persisted.
I then remembered that ExpressVPN installs brower extension and sure enough they were still present.
I removed the browser extensions and the popups stopped.
My concern is that none of the Antivirus/Malware checks found anything yet it was clearly happening.
So I am not sure whether my system is clean now.
|
|
|
|
|
Thanks for that - yesterday I upgraded ExpressVPN, and then used it for a couple of hours. I did not install the browser extensions, so I am now going to rip it out, and see what happens.
|
|
|
|
|
Yup - all gone! Thanks!
The reason I leapt at your conclusion that it was ExpressVPN is that I when went through all the s/w listed in ESET, ExpressVPN was the only one with an orange "May be dodgy' mark against it, instead of a green tick.
Annoyingly I still have four months yet to run on my subscription.
… but the 64K$ question is - why amazonaws.com?
|
|
|
|
|
Chris C-B wrote: … but the 64K$ question is - why amazonaws.com?
An easy way of getting IP-numbers in the right countries? And since Netflix et.al. also use Amazon themselves they could shoot themselves in the foot if they blocked IP-numbers indiscriminately.
|
|
|
|
|
amazonaws is a playground for hackers & phishers.
First thing to do would be to identify the process from which is originating the request to the external IP. Did you have any browser process opened while checking your task manager? Because a simple periodic refresh on a web page would cause this kind of symptoms.
"Five fruits and vegetables a day? What a joke!
Personally, after the third watermelon, I'm full."
|
|
|
|
|
I did a clean reboot, and touched nothing - just left it sitting there for ten minutes, and then - boom! That's how I knew it wasn't Outlook.
Anyway, all fixed now courtesy of Member 10451815.
|
|
|
|
|
Chris C-B wrote: At first I thought it might be related to MS Outlook, as that downloads every ten minutes
depends, messages trying to access remote content?
ms outlook borrows and directly executes a lot of code/libs from ie
- back in the older days made outlook it an even bigger liability than ie itself (people were careful about visiting sites but not so much opening email which outlook used ie to open remote content)
perhaps someone found something in that old pattern ms hasn't properly closed off yet?
for that reason I don't use outlook as my mail client on my personal machines.
Yeah I know it's quite nice, (use it on client machines where they've given me email),
in fact I reckon outlook is a better client then thunderbird which I use,
but regardless, because of it's poor security won't let it near my own equipment.
Message Signature
(Click to edit ->)
|
|
|
|
|
As I mentioned above, I did a clean reboot, and just watched the screen for ten minutes, without opening anything. It still happened.
Now I have ripped out ExpressVPN with malice aforethought, all is well!
|
|
|
|
|
Sounds like a beacon.
There's a few ways to check this. Modern beacons shouldn't open a port unless it gets a response to that beacon, so the old netstat check doesn't mean as much as it used to.
Some suggestions:
- Check services and make sure that you don't have anything running that shouldn't be. This is MUCH harder on W10 than previous versions, since a lot of valid services have really sketchy names.
- Check the system Task Scheduler and see if any odd executables are set on, say, a 10 min repeating schedule.
- If your AV isn't picking anything up, you might want to run a rootkit scan against the system.
- You can also crack open MS SysInternals Process Explorer and start looking for signs of code injection in a privileged process. lsass has historically been a very common target for hackers.
"Never attribute to malice that which can be explained by stupidity."
- Hanlon's Razor
|
|
|
|
|
I did all that before I posted. Anything I didn't know about, I did a web search for, and everything got a clean bill of health - and it only took just over two hours.
Anyway, Member 10451815 pointed me in the right direction, but many thanks for your contribution.
|
|
|
|
|
Got some web apps in Azure, everything, including key and access management, is fully automated.
I could delete an entire environment and automatically deploy it again and everything would work.
Except...
Custom domain names
I need to request two DNS records (A and TXT) so Azure can verify I'm the owner of the domain.
No way to automate that process and you can't have customers browse to company-myapp-prod.azurewebsites.net.
There's always something.
At my last job everything was fully automated, except some IP white listing to gain access to a third party application.
Well, if you've done the manual steps once it'll continue to work.
Just don't delete the environment.
It's almost really very good I guess
|
|
|
|
|
Once you put those records in your DNS server, they are there until deleted.. unless you are doing new domain names...
If you can keep your head while those about you are losing theirs, perhaps you don't understand the situation.
|
|
|
|
|
Yeah, but if I delete a service and redeploy it I get a new IP address, so the DNS record needs to be updated
So as long as I don't delete it everything is fine, except for that manual step I have to do at a first time deployment.
|
|
|
|
|
The diagnosis came completely out of the purple.
|
|
|
|
|
I've red about that - it made me feel blue.
Sent from my Amstrad PC 1640
Never throw anything away, Griff
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Cheer up. Every cloud has a turquoise lining.
|
|
|
|
|
others see green....
"Rock journalism is people who can't write interviewing people who can't talk for people who can't read." Frank Zappa 1980
|
|
|
|