[SOLVED] Network and VPN question

G

GrenPa

Well-known member
Joined
Jan 14, 2017
Posts
55
Hello Guys & Gals,

I have a strange question or two and hope someone may know the answer.

I use PureVPN at times and I have a network issue.

When I open PureVPn (open not connect to server) it tries to access 94.100.17.251:8.
Then my Malware protection blocks it.

I have spent about an hour trying to find out from PureVPN chat why it keeps trying to connect to that ip.
They do not seem to understand and telling me to connect to different server.
I told them I am not trying to connect to server I am simply opening there software to get ready to choose & connect to a server.

They told me go into my network settings and change dns to manually set dns server.
They said that would fix my connection trouble and allow me to connect.
I told them I do not have a problem connecting and that I am simply trying to find out why their software keeps trying to connect to 94.100.17.251:8 when it is first opened.

When pureVPN is not open or running I never get blocked warnings about that ip but when I open purevpn, within a second of opening purevpn I get blocked 94.100.17.251:8 ip warning in my protection software Malwarebytes 3.
I finally gave up on the chat with them as they kept telling me to try a different server which is not my issue.

So my question(s) are:

Can there be some hidden setting from malware that only tries to access the web at 94.100.17.251:8 when purevpn software is opened?
Since it is being blocked I am guessing maybe it is malware related but I can't find much of anything when I google.
I never have the block warning until purevpn is first opened.

So should I be concerned about this ip 94.100.17.251:8 trying to access that ip every time, or should i not worry about it?
Should I leave the block in place since purevpn staff have no clue about my question/issue?

Thanks in advance
GrenPa
 
Digerati said:
As seen here, that IP address goes to Swiftway.net which appears to be a legitimate service provider in Europe. Does that help shed some light on the issue?
Click to expand...

Hello Digerati,

Yes it does help me a great deal as my knowledge does not cover networking and network traffic.
Since you say it is legit I will add an exception to my security software not to block that ip.
I know that when the ip gets block i can never connect to one server in the Netherlands.

Thanks so much for your help and knowledge, I really appreciate it.
Have a Great weekend.
Gren
 
I would suggest you consider contacting Swiftway.net and see what insights, if any, they can provide. My guess is that Swiftway.net is a contracted provider of VPN services. After all, it's highly unlikely that PureVPN owns and operates any of the geolocated servers you're using as a PureVPN customer. As for the connection being requested/established prior to making your request to connect to a specific server, perhaps it has something to do with the software trying to establish a connection, outside of your use of it as a VPN, to the server you last used (?). It doesn't appear to me that port 8 has a hard-and-fast protocol and/or use, so I can't help you tie port 8 to any specific program. Speaking of a program, do you think you could figure out what program is requesting that access? I know you said that the MalwareBytes pop-up appears ONLY after you start the PureVPN software, but, as you yourself suggested, the unauthorized/unknown access may be something malicious (hence the MalwareBytes pop-up) outside of the PureVPN software. A good program for this task is CurrPorts by NirSoft.net. It's free and, as far as I'm concerned, safe. You might find this helpful.
 
Hey,

Thanks for the info it is excellent.

I downloaded a ran Currport and turned on logging and auto refresh every second.
But it did not help it logged info but not the issue with the one ip when I open purevpn.
Malwarebytes triggered again and blocked the ip yet again.
in malwarebytes I checked the log and then export event and it came back with something that makes no sense.
i pasted it below this line so you and see, it will be in quotes and italics.

"-Log Details-
Protection Event Date: 2/11/17
Protection Event Time: 7:00 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1237
License: Premium

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Domain:
IP Address: 94.100.17.251
Port: [8]
Type: Outbound
File:

"

As you can see near the bottom of the export it lists no file name that is from inside malwarebytes.
But Currports does not register any event for that ip.

I will keep trying maybe contact them to see whats up. Purevpn says there program software does not contact that ip yet it only happens when i open purevpn. (open not connect to a server).

Anyways thanks for the help, i really appreciate it.
I am currently googleing to see if i can find some other logging program to narrow my options and find what is trying to open that ip.

Thanks for you time
Gren
 
Hi everybody. :)

That IP isn't in Malwarebytes database hosts-file.net.
Nonetheless, I found it in abuseipdb.com: 94.100.17.251 | Swiftway Sp. z o.o. | AbuseIPDB
I'm not sure if the Malwarebytes team uses that database, but it's probable.
And neither if they are blocking certain ports...

You can generate some logs with this command (to be run from an elevated command prompt):
(netstat -bnf 2 | findstr /v /c:"UDP") > "%userprofile%\desktop\Netstat-every-2-seconds.txt"
Click to expand...
It can be blocked either with CTRL + C (CTRL and C keys on your keyboard: press/hold CTRL, press c, release both keys), or closing the command prompt window.
You must stop the command after you opened the VPN, otherwise it can increase its size rapidly (some MB after few minutes if you are using p2p programs, some GB after days...).
 
Since you say it is legit I will add an exception to my security software not to block that ip.
Click to expand...
I did say it appears to be legit and I still think they are.

I wish AbuseIPDB defined what specific "abusive activity" actually occurred. There are many legitimate reasons why "port scans" (the most often reported category) may occur. A port scan does NOT imply an "intrusion". Plus I note in that AbuseIPDB report, a couple of those were "outbound" attempts. That does not suggest anything (good or bad) towards Swiftway. If anything, it suggests something (good or bad) has already been let through to the client system that is now attempting to "call home".

I have my router send me a copy of its logs every day and I regularly see scary entries like DoS attack: ACK Scan, DoS attack: FIN Scan, DoS attack: Smurf Scan, and LAN access from remote. Most are from Akamai Technologies, Netflix (I am a subscriber), Cox (my ISP), Google (AbuseIPDB), and even Amazon and Microsoft (AbuseIPDB). Why? I don't know, but they do - yet I don't suspect malicious activity from them either, even when reported to AbuseIPDB.

But some have been from China Unicom, TurkTelecom, Montenegro Telecom and other entities I don't know and don't trust (and don't appear in AbuseIPDB, BTW). But the point is, while my router sees these attacks, it is not letting them through to my network. It is blocking them all. A good thing, for sure.

Just today, my router was hit by Amazon, Cox and a new site, Internap. I don't know who Internap is but AbuseIPDP shows DoS attack: ACK Scans from them too, just like Microsoft and Google. But again, my router blocked them BEFORE they were able to reach any of my connected computers. A very good thing.

I see even AbuseIPDB has been reported for "abusive activity". :r1:

I don't think it would hurt to contact Swiftway.net and hear what they have to say and note if the hairs on the back of you neck stand up, or not. But again, from what I can see, they appear to be legit.
 
Hey,

Sorry for the late reply.
I found the ip server is one used by PureVpn.

The trick you gave me never logged that ip thou I got block message.
i guess Malwarebytes blocked it before it could report anything.
The new version of Malwarebytes 3 no longer blocks it as of yet, so i'm good to go.

Thanks for all the help
Gren.
 
The new version of Malwarebytes 3 no longer blocks it as of yet, so i'm good to go.
Click to expand...
My guess is someone at Malwarebytes figured out it was a false positive. I suspect if you uninstalled MB3.x and reinstalled MBAM 2.x it would work fine now too. But then if ain't broke, don't fix it and right now, it ain't broke!

Thanks for posting your follow-up. :)
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top