[cloud] strange transmission to 98.142.242.90

[cloud] strange transmission to 98.142.242.90

Postby nocci » Sun Oct 20, 2013 9:40 pm

Hi,

my MalwareBytes Anti-Malware is blocking one IP that seems to be used by you.
Here is the log of it:

2013/10/20 19:56:28 +0200 *NOT_ALLOWED* *NOT_ALLOWED* IP-BLOCK 98.142.242.90 (Type: outgoing, Port: 49194, Process: stpass.exe)
2013/10/20 19:56:28 +0200 *NOT_ALLOWED* *NOT_ALLOWED* IP-BLOCK 98.142.242.90 (Type: outgoing, Port: 49195, Process: stpass.exe)

Can you confirm that this IP is OK and I can trust this kind of transmission??
Does this IP belong to StickyPassword?

What kind of information is sent via this connection??

Further research of mine:
The IP belongs to VELCOM.COM and seems to be located in Canada (Ontario) City: Brampton

It seems that on this IP (server) a phishing-site is hosted too, so I have a bad feeling if you host a backend-system or anything on this IP.
http://support.clean-mx.de/clean-mx/phi ... id=3662648
dvijaya.ru is also hosted on this server (98.142.240.42) and chrome and firefox are blocking this site.

I've read your WhitePaper about the security of StickyPassword 7 and there is nothing I can find about other systems like Amazon S3 and Amazon EC2 for online transmission!

So... why should I trust StickyPassword?
Just yesterday I bought a 1yr license for 3 users...

And today I have great fear that I made something wrong with that...
At least I uninstalled SP7 and switched back to SP6 without clould... AND I deleted the cloud-data for my ID.

I am quite unhappy because I have to change all important passwords now...
test environment:
1. Intel i3 4130 / 16GB RAM / 120GB SSD / Win 8.1 PRO x64
2. Nexus 7 (2012) / Cyanogenmod / 4.4.2
3. LG Optimus Black / Stock / 4.0.4
4. VMs / Win7 Home Premium & Win 8.1 PRO
5. My girlfriends PC & Laptop / Win 8.1 PRO
nocci
New user
 
Posts: 43
Joined: Fri Jan 18, 2013 1:36 pm

Re: [cloud] strange transmission to 98.142.242.90

Postby pavelkrcma » Mon Oct 21, 2013 12:49 pm

Hello,

unfortunately, those addresses don't belongs to us. StickyPassword communicate only with Amazon, for EC2:

54.229.85.115
54.229.15.166
+ block of IPs belonging to S3

and if necessary (and approved) sends crash reports to our server (t1.stickypassword.com, 212.96.160.183). This server is located in Czech Republic.

Mainly, SP uses only HTTPS protocol on standard port 443, not 49194.

I strongly suggest to scan your system on malware by other AV than MalwareBytes. No AV system is 100% accurate nor MalwareBytes is. A common practice used by malware is to "masquerade" as a different process using different technics.

So, I agree that it would be good idea to change all important password now, but please clean your system first.

Best regards,
Pavel Krcma
Pavel Krcma
pavelkrcma
Experienced user
 
Posts: 58
Joined: Tue Aug 20, 2013 12:56 pm

Re: [cloud] strange transmission to 98.142.242.90

Postby nocci » Mon Oct 21, 2013 5:02 pm

Hi...

and thank you for the quick response.
Of couse i ran several AV-engines like KasperskyRescue, Sophos and so on.
They all found no malicious programs or viruses... well I just installed a clean Win 8.1 the day before yesterday.

Now after some hours of checking and testing in a clean/fresh VM (wireshark, firewall etc.)... it looks like SP7 process (stpass.exe) checks some various servers from the "web accounts"-list.
So thanks to wireshark I know what site uses the IPs mentioned - I found the host in the logfile I made!
Yeehaa!

I've set my eset7-firewall to interactive mode and a lot of sites I use were visited by SP7.
Why SP7 does this?? Maybe you can explain me this. That would be great!
test environment:
1. Intel i3 4130 / 16GB RAM / 120GB SSD / Win 8.1 PRO x64
2. Nexus 7 (2012) / Cyanogenmod / 4.4.2
3. LG Optimus Black / Stock / 4.0.4
4. VMs / Win7 Home Premium & Win 8.1 PRO
5. My girlfriends PC & Laptop / Win 8.1 PRO
nocci
New user
 
Posts: 43
Joined: Fri Jan 18, 2013 1:36 pm

Re: [cloud] strange transmission to 98.142.242.90

Postby pavelkrcma » Mon Oct 21, 2013 5:31 pm

Great, I'm glad it's not a malware. Now it makes sense - StickyPassword loads icons for all URLs in the WebAccount list. It's an update of the icon in front of the URL in the list.

BTW, I'm looking for techies like you to build a closed group of beta testers. I would like to offer something similar to Mozilla "beta channel", builds with fresh new features/bugfixes but not tested thoroughly yet. Would you be interested in?
Pavel Krcma
pavelkrcma
Experienced user
 
Posts: 58
Joined: Tue Aug 20, 2013 12:56 pm

Re: [cloud] strange transmission to 98.142.242.90

Postby nocci » Mon Oct 21, 2013 6:01 pm

Oh... Thx a lot.
I can imagine to be a beta tester... maybe we should talk in PM.
Have a nice evening
test environment:
1. Intel i3 4130 / 16GB RAM / 120GB SSD / Win 8.1 PRO x64
2. Nexus 7 (2012) / Cyanogenmod / 4.4.2
3. LG Optimus Black / Stock / 4.0.4
4. VMs / Win7 Home Premium & Win 8.1 PRO
5. My girlfriends PC & Laptop / Win 8.1 PRO
nocci
New user
 
Posts: 43
Joined: Fri Jan 18, 2013 1:36 pm

Re: [cloud] strange transmission to 98.142.242.90

Postby pavelkrcma » Tue Oct 22, 2013 3:47 pm

please contact me by email - pavel.krcma (at) stickypassword. com
Pavel Krcma
pavelkrcma
Experienced user
 
Posts: 58
Joined: Tue Aug 20, 2013 12:56 pm


Return to Sticky Password 7

Who is online

Users browsing this forum: No registered users and 1 guest