New connections to 62.189.194.207 ?

Discussion in 'Prevx Releases' started by CloneRanger, Nov 2, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Starting today i'm seeing LOTS of outgoings to 62.189.194.207 This did NOT happen before today !

    Anybody else seeing these and/or similar ?

    Looking up 62.189.194.207 with WhoIs type tools i see All these !

    *

    LEADON-NET1-FEL-UK
    descr: Leadon Ltd
    descr: Feltham, UK
    country: GB

    ISG/IP Network Security
    address: MCI
    address: Reading International Business Park
    address: Basingstoke Road
    address: Reading
    address: Berkshire
    address: RG2 6DA
    address: GB

    Leadon Ltd
    address: 3 New Pride Place
    address: Derby DE248DZ
    address: gb

    Leadon Ltd
    address: Verizon Business-UK4 DataCent,Skayway Warehouse, Central Way
    address: Feltham TW14 0UD
    address: UK

    *

    Plus more info on here - http://www.wmtips.com/tools/info/?url=prevx.com

    Now i know my PSOL makes connections with your servers, for Various reasons :D But what i'd like to know is, why are ALL those companies listed as being in "some" way/s connected with Prevx ?

    MCI is a telecomms company, so what's up with that ?

    Who the devil is Leadon Ltd ?

    Is Any/All of this due to the Webroot takeover ?

    TIA
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ fav.gif
    Thanks, i see it is :thumb:

    *

    @ Prevx

    Still like to know about the other things :thumb:
     
  4. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    None of this is related to Webroot - LeadOn is the previous parent company of Prevx. That address is one of a few IPs where the Prevx product will communicate out to - it is possible that you were on a different server before which was resulting in a different address.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    OK

    OK

    OK

    So Prevx/Leadon Ltd servers were/are located at Verizon Business-UK4 DataCent = OK

    But, ISG/IP Network Security/MCI, Reading, Berkshire. I don't get that one ?

    Aha, so you're saying it's related to my ISP's servers ?

    I don't see how that could suddenly start making my PSOL initiate All those oubounds though ? Unless it's similar to ALL the unknown outbounds i was seeing before, like this

    tw.gif

    Why does it say Unknown if it's PSOL going to a Prevx IP ?
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm not sure why the firewall would be unable to pick up that it is Prevx making the connection. I'd suspect that would just be a bug on the firewall itself rather than something else going wrong. As for the change in addresses, we are using both our own datacenters and the Amazon cloud for providing protection worldwide so some of the addresses/resolving may be dynamic because of the rather dynamic nature of the cloud architecture.
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    OK. Be nice if others could check their connections, FW etc & see if they can track the unknowns down :thumb:
    OK. Amazon hey !

    Thanks for your replies :thumb:

    Today i'm NOT seeing that IP or Unknown outbounds, or even ANY outbounds to ANY Prevx IP's ? Wierd or ? So either my PSOL has mysteriously stopped working :D or since i posted about this, somethings afoot behind the curtain ;)
     
  8. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    I can confirm that I also had a connection out to Leadon Ltd. - yesterday.

    It may have happened before and since, but I haven`t been checking.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I saw moments ago a connection to 62.189.194.211 (http://www.dshield.org/ipinfo.html?ip=62.189.194.211)

    I've come across this connection, when checking something else with TCPView. TCPView correctly identifies as being the process prevx.exe making the connection.

    -Edit-

    Not saying this is a bad or great thing. Just saying that TCPView correctly identifies the process starting the connection, unlike CurrPorts.
     
  10. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    I`m also seeing that in TCPView, but it`s not showing up as Prevx:

    [System Process] ...... 62.189.194.211
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Forgot that part. It also showed that, but I've also seen prevx.exe making the connection. Sorry for missing that part.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Fad & m00nbl00d

    Thanks for the confirmations :thumb:

    I'm also using TCPView as well now ;)

    I've noticed quite a few outbounds to Akamami or whatever it's called too !

    Check ALL these outbound attemts :eek:

    out.gif

    Not sure what they are ALL for ?
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    These are normal - Prevx's servers are hosted in dozens of locations around the world and we use services like Akamai and Amazon's EC2 platform for improved redundancy to prevent outages :)
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ PrevxHelp

    I hear you about Akamai etc, but what about ALL those blocked outbound attempts :eek: ? Prevx is pretty aggressive in wanting out, don't you agree
     
  15. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    What is it that`s blocking it from getting out ?

    Are those repeated attempts a direct result of it being blocked somewhere, and it`s trying to repeatedly make the connection it needs - hence the multiple attempts ?
     
  16. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Can Prevx reproduce this blocked attempts in their own test PCs?

    Best Regards
     
  17. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Well, Prevx needs to connect to the internet to scan and verify data... anything that would be blocking it will probably prevent it from working properly. One feature that it does have, however, is that it goes around to different Prevx servers if it can't reach the one it was initially trying to connect to, which is probably why you're seeing many connection attempts. However, I'd strongly recommend allowing Prevx through your firewall so that it can function properly :)
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Not sure yet, still investigating ;)

    Well i never :D

    Yeah pretty aggressive :D

    The thing is, i'm not purposely blocking it ! Still investigating, if/when i discover what it is, i'll let you know.
     
  19. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Does Prevx scan alright for you? During a scan use your tools to check the connections then and report back! I don't see any blocking issues in my Router Firewall logs or in Look'N'Stop!

    TH

    Capture08-11-2010-1.55.35 PM.jpg
     
    Last edited: Nov 8, 2010
  20. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    Is there a list somewhere of these servers that Px connects to, as I can`t seem to find one...

    then they could be ruled out when trying to figure out what certain dubious looking connections are.

    I have just seen this: ncsi.glbdns.microsoft.com (65.55.119.90)

    that doesn`t seem to be a Px connection going by the name alone :doubt:
     
  21. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Here are some! https://www.wilderssecurity.com/showthread.php?t=245177 Mine connected to 62.189.194.212

    TH
     
  22. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    Thanks I didn`t even think of looking on here !

    I think the 79.125.xxx.xxx range is the amazonaws.com servers (?)

    I`m having IP address blindness there`s so many to look at, maybe that connection to microsoft above wasn`t Px after all, I don`t really know the best way of telling what`s actually going on regarding these outbound connections.
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Appears to.

    Here ya go. Closed FF first.

    *

    [System Process] 0 TCP o 3242 ec2-46-51-183-36.eu-west-1.compute.amazonaws.com:http http TIME_WAIT 92 1,503,526 1 459

    [System Process] 0 TCP o 3245 62.189.194.207:http http TIME_WAIT 1 16,829 2 2,340

    46.51.183.36 = ec2-46-51-183-36.eu-west-1.compute.amazonaws.com = WTF ?

    62.189.194.207 = Leadon Ltd - ISG/IP Network Security - MCI = ISP: Verizon UK Limited as before.

    *

    Ooh, is that a bit naughty or what ?
     
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    This is normal - a large portion of Prevx is hosted in the Amazon platform.

    It's just an incompatibility with the ISA firewall in the underlying communication libraries of Prevx which requires a pass-through :)
     
  25. Fad

    Fad Registered Member

    Joined:
    Feb 25, 2009
    Posts:
    377
    Location:
    England
    Is this anything to do with Prevx ?

    ncsi.glbdns.microsoft.com (65.55.119.90)

    if it isn`t I need to find out what`s causing it. :doubt:
     
Thread Status:
Not open for further replies.