Hi
A few minutes ago netguard blocked a risky connection attempt Hostproces for windows services ip 194.7.155.82 .
What coud this be?
I have total protection 2011 on a windows 7 64bit pc
I got the same message, I was able to trace the IP using "www.ip-adress.com/ip_tracer". I got no clue about that so I leave it blocked.
I concur. Same message, Googled it, found same info, leaving it blocked. Thanks for moral support!
I wonder what initiated the call to ip 194.7.155.82 in the first place - McAfee warning does not seem to give a clue. What program?? At the fime, I just had opened Microsoft Excel, Lotus 123, Windows Explorer (to see files). I also run McAfee total protection 2011 on a windows 7 64bit pc.
I experienced the same thing. I run different security products on different machines, and the one running McAfee is the only one that reacted to this IP. I haven't checked detailed logs on the other machines, but all are configered to not let programs make connections to the internet on their own, so I would have been notified.
Cybertrust and Ubizen both belong to Verizon. Verizon is used extensively in Windows to verify security certificates etc for the internet browser, java, flash etc. Did any of you get an alert that java could *not* check for revocation info for a certificate around this time?
Message was edited by: jaydee711 s/could/could not on 3/17/12 6:49:51 PM CDTI did not get any alert that java could *not* check for revocation info for a certificate. All I saw was the McAfee message window.
I do use Verizon FiOS as my provider, but I wonder why McAfee shows ip 194.7.155.82 as Red if it is an IP listed with NV Verizon in Belgium and Cybertrust - Ubizen.
Keep this IP banned/flagged/removed from and of your networks. I am a McAfee user like you, however, I have a computer science background. I am currently tracking this IP further because I too got this same message on 3/17/2012. After it popped up, I blocked it, or so I thought. About 5 mintues later one of my computers locked up with the exception of my mouse and then my computer fan kicked in as the resources were both in the 100% for about 3 minutes until I realized someone was using my resources on a bot net. I did a hard restart to safemode, enabled my HIDS to detect the IP and any other intrusion from that IP, then restarted normally and have not had problems since (about 30 minutes now) but I am still tracking it so hopefully I will have a follow up shortly!
IP address information:
WHOIS Source: RIPE NCC
IP Address: 194.7.155.82
Country: Belgium
Network Name: UU-194-7-155-80
Owner Name: Cybertrust - Ubizen
From IP: 194.7.155.80
To IP: 194.7.155.95
Allocated: Yes
Contact Name: Stephen Biets
Address: Verizon/Cybertrust, Philipssite 5, 3001 Leuven, be
Email: stephen.biets@be.verizonbusiness.com
Abuse Email: abuse@be.uu.net
Phone: +32 16 28 7397
Fax:
WHOIS Record:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Information related to '194.7.155.80 - 194.7.155.95'
inetnum: 194.7.155.80 - 194.7.155.95
netname: UU-194-7-155-80
descr: Cybertrust - Ubizen
descr: Leuven, be
country: BE
admin-c: SB12089-RIPE
tech-c: SB12089-RIPE
status: ASSIGNED PA
mnt-by: AS2822-MNT
notify: ip@se.verizonbusiness.com
changed: ip@se.verizonbusiness.com 20100531 # BN1055-RIPE
source: RIPE
irt: IRT-MCI-BE
address: ISG/IP Network Security
address: MCI
address: Kroonburgh D2
address: H.J.E. Wenckebachweg 123
address: 1096 AM Amsterdam
address: NL
phone: +31 20 4952959
fax-no: +31 20 7178893
e-mail: abuse@be.uu.net
abuse-mailbox: abuse@be.uu.net
org: ORG-IUB1-RIPE
admin-c: WERT1-RIPE
tech-c: WERT1-RIPE
auth: MD5-PW $1$T6sZUHUL$U6wJAZrPHaxvZxA2PwxZE/
auth: PGPKEY-5960220D
auth: PGPKEY-5E478DDC
auth: PGPKEY-92479A5D
auth: PGPKEY-B4826395
irt-nfy: ip-net-sec@de.mci.com
irt-nfy: registrar@eu.uu.net
notify: ip-net-sec@de.mci.com
notify: registrar@eu.uu.net
mnt-by: MCI-EMEA-M-MNT
changed: registrar@eu.uu.net 20050517 # @handle@
source: RIPE
person: Stephen Biets
address: Verizon/Cybertrust
address: Philipssite 5
address: 3001 Leuven
address: be
phone: +32 16 28 7397
e-mail: stephen.biets@be.verizonbusiness.com
nic-hdl: SB12089-RIPE
mnt-by: AS2822-MNT
notify: ip@se.verizonbusiness.com
changed: ip@se.verizonbusiness.com 20100528 # BN1055-RIPE
source: RIPE
% Information related to '194.7.0.0/16AS2822'
route: 194.7.0.0/16
descr: INNET-BLOCK
origin: AS2822
remarks: CIDR all the way down
remarks: **************************************
remarks: * For spamming or other abuse issues *
remarks: * Please send your requests to *
remarks: * abuse@be.uu.net *
remarks: **************************************
notify: hostmaster@INbe.net
mnt-by: AS2822-MNT
mnt-by: WCOM-EMEA-RICE-MNT
changed: Patrick.Sichien@be.uu.net 20010507
changed: Maarten.Buekers@be.uu.net 20011025
changed: hendrik.volker@deu.mci.com 20050406
source: RIPE
% Information related to '194.7.0.0/16AS702'
route: 194.7.0.0/16
descr: BE PA route
origin: AS702
holes: 194.7.112.0/22
holes: 194.7.124.240/28
holes: 194.7.243.224/28
member-of: AS702:RS-BE,
AS702:RS-BE-PA
inject: upon static
aggr-mtd: outbound
remarks: **********ABUSE ISSUES**********
remarks: All abuse must be reported to
remarks: abuse@be.uu.net for this network.
remarks: ********************************
mnt-routes: FORTIS-MNT {194.7.112.0/22^+, 194.7.124.240/28^+, 194.7.243.224/28^+}
mnt-by: WCOM-EMEA-RICE-MNT
changed: rice@lists.mci.com 20110314
source: RIPE
Message was edited by: edwardjwlaunt on 3/18/12 10:01:46 AM CDTBack to basics.
@revealdion and @wquinter, you were the first two to post on the 17th, at (it says on my screen) 12:39 and 14:49. What time(s) did you notice Netguard block access to that IP? It could be significant.
Trusted Source is rating that IP as High Risk now, but the record shows that it has been Medium Risk since at least as far back as February 15th.
If you try to access the IP address from your browser SiteAdvisor will do its best to stop you with a blocking page. I went on through to the site and found a directory listing of CRL files. These are Certificate Revocation Lists.
Q1: What is a Certificate Revocation List (CRL)
A1: A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. A CRL file also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the shortest validity period of a CRL is one hour.
There are two large groups of CRL files with modification dates of January 11th and March 17th. Whatever updated the January files may be the cause of TrustedSource marking the IP address as Medium Risk; the move to High Risk may have resulted from the changes to some of the files on the 17th. That is pure guesswork, but the dates are suggestive.
Without downloading these CRL files and examining their contents there is no way to know what exactly is behind the TrustedSource rating changes.
I think this deserves to be kept under review because the companies involved are key players in the computer security arena. The Cybertrust Wikipedia entry reads, in part :
CyberTrust was a security services company formed in Virginia in November 2004 as a result of a merger of the TruSecure and Betrusted security companies.
Cybertrust acquired a large stake in Ubizen, a European security services firm based in Belgium to become one of the largest information security firms in the world.
And there are traces, on some of the websites I used while investigating this IP address and its hosting provider and ISP, that show a flurry of interest in the IP address especially over the past 48 hours. Some of that might be down to the curiosity of the posters in this thread, but I wonder how many others there are who have wondered if something is amiss.
There is cause for concern here, although I can't see to what use a modified CRL might be put. But then, I'm not a hacker. I'll get in touch with TrustedSource and Ubizen and alert them to the situation. If it's a false positive being flagged by TrustedSource then it can easily be corrected, but I would hope someone would carry out an investigation to make sure that there aren't problems at Ubizen.
Message was edited by: Hayton on 18/03/12 06:44:07 GMTPeter I got it as well left it blocked Time
Australia 17 March 6:22:58 am Not daylight savings time ie (GMT+10hrs)
Message was edited by: Peacekeeper on 18/03/12 4:47:25 PMI've contacted TrustedSource and Ubizen. I know it's a Sunday, so don't expect anything to happen until late Monday. It'll probably just quietly go from Red to Green without any explanation ....
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: