soma11 1 Posted ... (edited) Hi, I've been using AirVPN in more than a year and for the first time I have received a Trojan warning concerning one of the servers! I have attached the log files from both MalwareBytes 3.6.1 and Eddie 2.16.3. Looking in Eddies log file I noticed the following: ... (An update was made shortly before the Trojan report from MalwareBytes) ... . 2019.02.02 15:09:34 - Updating systems & servers data ... . 2019.02.02 15:09:36 - Systems & servers data update completed . 2019.02.02 15:19:39 - Updating systems & servers data ... . 2019.02.02 15:19:41 - Systems & servers data update completed . 2019.02.02 15:29:45 - Updating systems & servers data ... . 2019.02.02 15:29:46 - Systems & servers data update completed . 2019.02.02 15:39:50 - Updating systems & servers data ... . 2019.02.02 15:39:51 - Systems & servers data update completed . 2019.02.02 15:49:55 - Updating systems & servers data ... . 2019.02.02 15:49:56 - Systems & servers data update completed ... (Here a bug was detected by OpenVPN?) ... . 2019.02.02 15:53:25 - Detected an OpenVPN bug (On-Link route on VPN range), autofix. ... (Here Eddie connect to the server blocked by MalwareBytes) ... . 2019.02.02 15:53:34 - Routes, added a new route, 62.102.148.185 for gateway 10.8.110.1 . 2019.02.02 15:53:34 - Routes, added a new route, 2a00:1520:27:1:af00:6910:ebff:7f35 for gateway fde6:7a:7d20:46e::1 . 2019.02.02 15:53:34 - Flushing DNS I 2019.02.02 15:53:38 - Checking route IPv4 . 2019.02.02 15:53:41 - curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number . 2019.02.02 15:53:41 - Checking route (2° try) . 2019.02.02 15:53:42 - curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number . 2019.02.02 15:53:42 - Checking route (3° try) . 2019.02.02 15:53:44 - curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number E 2019.02.02 15:53:44 - Checking route IPv4 failed. . 2019.02.02 15:53:44 - OpenVPN > Initialization Sequence Completed ! 2019.02.02 15:53:44 - Disconnecting . 2019.02.02 15:53:44 - Routes, removed a route previously added, 62.102.148.185 for gateway 10.8.110.1 . 2019.02.02 15:53:45 - Routes, removed a route previously added, 2a00:1520:27:1:af00:6910:ebff:7f35 for gateway fde6:7a:7d20:46e::1 . 2019.02.02 15:53:45 - Sending management termination signal . 2019.02.02 15:53:45 - Management - Send 'signal SIGTERM' . 2019.02.02 15:53:45 - OpenVPN > MANAGEMENT: CMD 'c0a8a239e7bc043f7f1860c4adfc74a0d8764c91decaaea28972e67b0daa01b2' . 2019.02.02 15:53:54 - Sending management termination signal . 2019.02.02 15:53:54 - Management - Send 'signal SIGTERM' . 2019.02.02 15:53:54 - OpenVPN > MANAGEMENT: CMD 'signal SIGTERM' . 2019.02.02 15:53:54 - OpenVPN > SIGTERM received, sending exit notification to peer . 2019.02.02 15:53:59 - OpenVPN > C:\Windows\system32\route.exe DELETE 62.102.148.204 MASK 255.255.255.255 192.168.200.1 . 2019.02.02 15:53:59 - OpenVPN > Route deletion via IPAPI succeeded [adaptive] . 2019.02.02 15:53:59 - OpenVPN > C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 10.8.110.1 . 2019.02.02 15:53:59 - OpenVPN > Route deletion via IPAPI succeeded [adaptive] . 2019.02.02 15:53:59 - OpenVPN > C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 10.8.110.1 . 2019.02.02 15:53:59 - OpenVPN > Route deletion via IPAPI succeeded [adaptive] . 2019.02.02 15:53:59 - OpenVPN > delete_route_ipv6(::/3) . 2019.02.02 15:53:59 - OpenVPN > C:\Windows\system32\netsh.exe interface ipv6 delete route ::/3 interface=9 fe80::8 store=active . 2019.02.02 15:53:59 - OpenVPN > env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem . 2019.02.02 15:53:59 - OpenVPN > delete_route_ipv6(2000::/4) . 2019.02.02 15:53:59 - OpenVPN > C:\Windows\system32\netsh.exe interface ipv6 delete route 2000::/4 interface=9 fe80::8 store=active . 2019.02.02 15:53:59 - OpenVPN > env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem . 2019.02.02 15:53:59 - OpenVPN > delete_route_ipv6(3000::/4) . 2019.02.02 15:53:59 - OpenVPN > C:\Windows\system32\netsh.exe interface ipv6 delete route 3000::/4 interface=9 fe80::8 store=active . 2019.02.02 15:53:59 - OpenVPN > env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem . 2019.02.02 15:54:00 - OpenVPN > delete_route_ipv6(fc00::/7) . 2019.02.02 15:54:00 - OpenVPN > C:\Windows\system32\netsh.exe interface ipv6 delete route fc00::/7 interface=9 fe80::8 store=active . 2019.02.02 15:54:00 - OpenVPN > env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem . 2019.02.02 15:54:00 - OpenVPN > Closing TUN/TAP interface . 2019.02.02 15:54:00 - OpenVPN > delete_route_ipv6(fde6:7a:7d20:46e::/64) . 2019.02.02 15:54:00 - OpenVPN > C:\Windows\system32\netsh.exe interface ipv6 delete route fde6:7a:7d20:46e::/64 interface=9 fe80::8 store=active . 2019.02.02 15:54:00 - OpenVPN > NETSH: C:\Windows\system32\netsh.exe interface ipv6 delete address Ethernet 2 fde6:7a:7d20:46e::1079 store=active . 2019.02.02 15:54:01 - OpenVPN > NETSH: C:\Windows\system32\netsh.exe interface ipv6 delete dns Ethernet 2 all . 2019.02.02 15:54:01 - OpenVPN > TAP: DHCP address released . 2019.02.02 15:54:01 - OpenVPN > SIGTERM[soft,exit-with-notification] received, process exiting . 2019.02.02 15:54:01 - Connection terminated. ... (From then on connections was made to other servers) NB: I have during the latest months noticed more and more servers getting blocked at domains like "duckduckgo.com", "wordpress.org" and some other miner websites which I don't recall. I don't know if this somehow could be related? Eddie_20190202_155647.txt malwarebytes.txt Eddie_20190202_155647.txt malwarebytes.txt Edited ... by giganerd Apply LOG formatting to logs Share this post Link to post
LZ1 673 Posted ... Hello! This is most likely just another issue with MalwareBytes. Which is potentially also the cause of the inaccessibility of some sites, in your case. Possibly relevant exceptions list for MalwareBytes. Hide LZ1's signature Hide all signatures Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. You may also read the Eddie Android FAQ. Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you. Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily. Share this post Link to post
soma11 1 Posted ... Hello! This is most likely just another issue with MalwareBytes. Which is potentially also the cause of the inaccessibility of some sites, in your case. Possibly relevant exceptions list for MalwareBytes. Hi LZ1 I've been using MalwareBytes long before AirVPN and it has been running simultaneously all the time. As I mentioned above, this is the very first time I have received this type (or ANY kind) of warning from MalwareBytes concerning an AirVPN server, so something has defiantly changed somewhere? This and the more frequently blocked domains is why I had a hard time seeing it as "just another issue ...". Though it would be nice if that's the case. About the domains blocking AirVPN, has nothing to do with MalwareBytes on my end. I haven't gotten any kind of warnings from MalwareBytes when this has happened, neither from an AirVPN server or from the requested domain which is blocking. All I did to access these domains again was to connect to a different server until the domain wasn't blocking anymore (or if too many tries, then simply disconnecting the VPN and Network Lock). But this has become more frequently over the recent time. What I had in mind was rather, that if I can get a warning from using an AirVPN server, then maybe these domains (blocking AirVPN servers), are also getting some sort of Trojan warnings or alike, thus blocking these servers? Share this post Link to post
soma11 1 Posted ... Hi again I have now been looking a bit further into this. The server getting blocked is Alula (62.102.148.185:49970), located in Uppsala - Sweden. After having been testing all servers from Uppsala - Sweden, I discovered that "Alula" is the only one from Uppsala - Sweden, that is getting blocked by MalwareBytes. Therefore I guess it isn't just a whole hosting company getting blocked this time, or am I missing something? Share this post Link to post