cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ConorD62
Level 12
Report Inappropriate Content
Message 1 of 12

Risky Connection blocked - skype.

Jump to solution

So I left my computer running while I watched TV and I left Skype on but not open, I haven't visited any websites apart from Facebook really as I haven't used my computer blocked.

However I got a risky connection blocked and it told me it was from Skype.

The IP is 216.2.193.1, From what I could find out on Google, it is from CSC Holdings or Cablevision?

Not sure what either these companies are but apparently the IP is from New York?

Ran Malwarebytes, and nothing was found, but then again I haven't done anything on my computer for a while except use Facebook, so I couldn't have picked anything up.

Also, I used to have Skype open all the time and this is the only time I've ever had a connection blocked from it, and now I'm not sure whether to use it again for a while until I find out the answer to the risky connection.

1 Solution

Accepted Solutions
ConorD62
Level 12
Report Inappropriate Content
Message 12 of 12

Re: Risky Connection blocked - skype.

Jump to solution

Moving back onto the Risky connection that was blocked, I'm just going to assume that it was Skype updating.

Or a group convesation that I was having.

Message was edited by: ConorD62 on 9/5/12 4:36:18 PM IST

View solution in original post

11 Replies
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 12

Re: Risky Connection blocked - skype.

Jump to solution

Hello Conor,

   Better check your Security Center History and Logs for recent entries, especially in the Intrusion Detection section.

http://en.utrace.de/?query=216.2.193.1

That IP is rated Red / High Risk by Trustedsource - see

http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=216.2.193.1

for the full info.

The IP address is the address of user1.cablevision.com and the server has been serving up an exploit, namely SSL: NSS Heap Overflow. The attack is through a wide range of ports, and if you had Skype running it was probably using one or more of those attack ports.

This is an old exploit, used mainly against SeaMonkey, and was meant to have been fixed years ago. Perhaps it's an old virus still doing the rounds.

You might want to contact Skype UK - https://support.skype.com/en-gb/search_first/

The server is known to Project Honeypot as a probable spam mail server, so is highly suspect -

http://www.projecthoneypot.org/ip_216.2.193.1

Message was edited by: Hayton on 05/09/12 03:03:49 IST
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 12

Re: Risky Connection blocked - skype.

Jump to solution

On second thoughts, things may not be quite that simple. Have a look at this page from Wikipedia, which changes slightly my opinion of what might have happened -

User talk-216.2.193.1 - Wikipedia, the free encyclopedia.png

Right. So if it's an ISP then the connection that was blocked came through the ISP but cannot necessarily be traced back to a specific person or location (at least, not easily).

Better check your Skype call history (can you do that? I don't know, I don't use Skype) and see if anything there looks suspect.

whois details.PNG

Message was edited by: Hayton on 05/09/12 03:21:47 IST
ConorD62
Level 12
Report Inappropriate Content
Message 4 of 12

Re: Risky Connection blocked - skype.

Jump to solution

I had Skype open and there was a few group chats, but no calls (voice?)

However another thing I noticed last night was that there was an update to install through Windows, even though it had not checked since yesterday. It was Skype 5.10 for Windows,

Could that have been the connection? Trying to get it to install?

I checked the 'Intrusion Detection Events' and there is nothing there.

Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 12

Re: Risky Connection blocked - skype.

Jump to solution

Latest Skype version for Windows I can see is 5.10.0.116, and that was the current version about a week ago. If you already have that version, and there isn't a more recent one, an offer to update may not have been genuine.

Usual rules apply as in all such cases : if in doubt kill all running apps, lock down the firewall, use CCleaner (or similar) to delete all temp files, cookies, browser cache, and DNS cache (+ whatever else you want to clear out) then run the usual scans with McAfee/MWB/Stinger/whatever.

Nothing in Intrusion Detection is good but also check the other sections in History & Logs. Watch for entries in Incoming and Outgoing Events.

ConorD62
Level 12
Report Inappropriate Content
Message 6 of 12

Re: Risky Connection blocked - skype.

Jump to solution

I haven't updated Skype since like 2011, so I think it's geninue, it's been pestering me the last week about downloading the new Skype and I never really got around to it.

There is no outgoing events apparently,

Incoming is like Facebook, Amazon (I don't have it open), Sky, acces.hol.gr?

A couple (3) from hosts which don't have websites.

Message was edited by: ConorD62 on 9/5/12 3:16:03 PM IST
Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 12

Re: Risky Connection blocked - skype.

Jump to solution

Nothing much out of the ordinary except for access.hol.gr which appears to be an anonymising server based in Greece. Could be part of TOR but looking at it I would be inclined to block anything coming from "hol.gr". Your choice, of course.

ConorD62
Level 12
Report Inappropriate Content
Message 8 of 12

Re: Risky Connection blocked - skype.

Jump to solution

There is no 'block' for the incoming events, however from what I've read, everything in the incoming events is what is blocked?

Hayton
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 9 of 12

Re: Risky Connection blocked - skype.

Jump to solution

It may be legit after all. Further digging comes up with this -

Details on IP address 79.167.79.246

inetnum:        79.167.0.0 - 79.167.127.255
netname:        HOL-INFRA
descr:          Hellas On Line SA - DSL
country:        GR

HOL - Hellas OnLine. But the prefixes look strange - "ppp079167079246.access.hol.gr" for instance.

If needed you can block IP addresses or ranges of addresses in Firewall settings -->  "My Network Connections".

Message was edited by: Hayton on 05/09/12 15:49:30 IST
ConorD62
Level 12
Report Inappropriate Content
Message 10 of 12

Re: Risky Connection blocked - skype.

Jump to solution

Is it unusual for hosts that don't have a website have an incoming event when I go to a website like Yahoo Answers?

These's IP's just came up

212.183.128.191, 111.221.74.17 ?

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community