Prevx SOL is becoming paranoid...

Discussion in 'Prevx Releases' started by m00nbl00d, Apr 10, 2011.

Thread Status:
Not open for further replies.
  1. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    o_O

    For the last couple days I can't access -https://spyeyetracker.abuse.ch... I get a refused connection error message.

    Today, I tried to access it again, but no luck. I tried entering it using this page -https://spyeyetracker.abuse.ch/news.php, just in case there was a problem with the main domain.

    All of a sudden I get a warning from Prevx saying...

    There's no such entry in my hosts file. o_O Why did Prevx SOL make this mistake? Is it common? o_O

    -edit-

    It seems the domain is being redirected to 127.0.0.1 -http://domaintoip.com/ip.php?domain=spyeyetracker.abuse.ch

    But, why did Prevx SOL detect such as being in my hosts file?
     
    Last edited: Apr 10, 2011
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    I can't even connect to that site?

    TH
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yeah... there's a Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection

    It turns out the domain is being redirected to 127.0.0.1. Today, for some reason Prevx blocked access to it, giving the reason I provided above. Why o_O My guess is that it confused the fact that the domain is being redirected to 127.0.0.1, but why saying it's in my hosts file? :doubt:
     
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Last edited: Apr 10, 2011
  5. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    They suffered DDOS attacks a few weeks back, it might be happening again.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, it keeps stopping it for me. :eek:
     
  7. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you email me your hosts file? I suspect there might be some entry in there that we aren't parsing properly.

    Thanks! :)
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm going to update it today... and will e-mail it tomorrow. In the meantime, I tried to access the spyeye tracker web site, which is still down. :( Obviously, Prevx still gave the same warning. But, something odd happened! When I opened a new tab in Chromium, SOL button turned red for a second or so... Is this behavior ever to be expected? :eek:

    I've never seen it happening before.

    -edit-

    By the way, could the issue with the hosts file have anything to do with the fact I don't map domains to 127.0.0.1, but 0.0.0.0?
     
  9. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    m00nbl00d, it's not just your settings. I'm seeing same as you since site came
    back online. From what I understand, this wrong entry can be removed from hosts file oneself? How might this have happened? Could malware have made this as a malicious entry?
     

    Attached Files:

  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Thanks for the heads up! :thumb: Finally the web site is up and running.

    Regarding the hosts file issue, now that the web site is back on-line, I'm not experiencing any issues. SOL doesn't block it.

    What happened before, was that -https://spyeyetracker.abuse.ch was being redirected to 127.0.0.1 on their own server. Not locally. For some reason, due to how Prevx SOL works, access to that web site (when it was still being redirected to 127.0.0.1) was being blocked. SOL interpreted it as being a local entry in the hosts file, hence blocking it.

    It's odd, though. I went to -http://www.malwarehash.com, which is a service by NoVirusThanks, which is currently down, and also mapped to 127.0.0.1 on their server, and SOL doesn't block access to it.

    What happens when you access -http://www.malwarehash.com ?
     
  11. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I get a HOSTS file warning with 127.0.0.1 with malwarehash, even though I set all of them to 255.255.255.0 instead of 127.0.0.1(malwarehash.com is not in my HOSTS file btw.)
    EDIT: I had this before with another site that was down.
     
  12. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Yeah, I'm getting same blocking for -malwarehash.com.....not sure what is really the issue here? Can't see anything against deleting any hosts files, installing a fresh one, and see what happens? Can Prevx just fix it their end?
    I've clicked to fix when encountering block, but just closes browser and doesn't
    resolve problem afaik.
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I'm still unclear of what the issue is here. Could someone send me their hosts file so that I can take a look? Prevx will detect any website being redirected (in the event that malware redirects a legitimate domain to a null address, for example) so you may receive warnings for websites that you have manually "blocked" in your hosts file.
     
  14. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Hi Joe...I tried to read, to get better understanding, as I'm not very au-fait with much of this, and more I read just became more confused about IPV6 etc. So, in simple way for me to explain..while both of above sites were down I was seeing SafeOnline tab telling me:
    IP Address: 127.0.0.1
    IP Verification: HighRisk HostsFile Block
    When I looked in \etc\ expecting only to find hpHosts I found :
    1xHpHosts, 1xhosts.bak, 1xHosts.MVP, 1xhosts_Win_Original, lmhosts.sam...so it all looked more confusing....sorry! :D
    I have all these if you'd like me to send any, but I decided to reset hostsfile back to default, and now seems ok, as when I try to access -malwarehash.com, although it's still down, I'm now not seeing a red SafeOnline tab. :)
     
  15. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hmm interesting, I would still be curious as to what is in those files. I'm not sure if it would be a parsing issue or if the hosts file is actually trying to block the connection.

    Thanks for the help! :)
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I sent my HOSTS file to your email address :)
     
  17. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    What happens when each of the following buttons is clicked? Close? Ignore? Fix? See post #9.
     
  18. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
  19. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I still haven't received a hosts file from anyone. Clicking "Fix" removes the entry from the hosts file, "Ignore" allows visitation to the website, and "Block" closes the page.
     
  20. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Sorry Joe, thought BoerenkoolMetWorst had sent one (I've been really busy
    past week). I'll definitely send later today (about 10-12hours). Thanks :)
     
  21. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
    Just sent (to prevxresearch) hosts.bak, didn't send hpHosts or 2 other files (only bytes..just info I think), but will send rest if you wish. Many thanks :)
     
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Hi, I sent it to your emailadress, I will resend it now in case you missed it ;)
     
  23. iNsuRRecTioN

    iNsuRRecTioN Registered Member

    Joined:
    Sep 5, 2003
    Posts:
    303
    Location:
    Germany
    Thanks Joe, but you mean "Close" closes the page, not "Block"... :D

    I think yet another one from Prevx 4... :D :cool: :p
     
Thread Status:
Not open for further replies.