94.247.2.195

I have a website with a number of pages and using NoScript I get a pop up asking me if I want to allow or not allow 94.247.2.195

Above URL is in Latvia.

I contact NoScript but I thought I ask here too.

Thanks

I ran malwarebytes and it found a virus in my windows folder, removed it, rebooted and problem still exists.

It could be coming from Statcounter on my home page only.

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-05/0105.html

I wrote to Statcounter to see what they say.

What’s the chance of seeing that scan report with the malware names/paths shown?

There is a good chance. see below. Also it is another day here in Los Angeles at 7am. I check one of my web pages that has no script and same pop up from NoScript asking me if I wanted to allow or not 94.247.2.195

Good luck with below if it helps and thanks for having a look.

Malwarebytes’ Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

4/16/2009 11:31:23 PM
mbam-log-2009-04-16 (23-31-23).txt

Scan type: Quick Scan
Objects scanned: 83633
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I found below link and 94.247.2.195 is on list shown.

http://www.who-is-who-in-gpt.com/forum/index.php?showtopic=4024

I found this.

http://blog.scansafe.com/

now how do I remove 94.247.2.195

In short, you can’t.

You said that it is NoScript that blocks this so a) it is already doing its job, b) the script is on a web page, your web page/s (I have a website with a number of pages) that you haven’t given so we can’t investigate, what script it is.

I only have script using Statcounter on main index.html page. All others with links from main page have no script.
Yes I wrote to Statcounter. No answer yet.

Which still doesn’t say what the URL is

Switch to another stat counter it isn’t the only option out there, certainly until this statcounter vulnerability is closed.

after searching and searching for a solution I go back and review NOscript options popup.
allow
distrust and
temporary.

I clicked on distrust and now NoScript does not popup asking me to allow, temporary or distrust. Kind of simple fix.

94.247.2.195 could be somewhere in my computer however it could be NoScript stopped 94.247.2.195 from taking me somewhere I did not want to go.

thanks.

94.247.2.195 could be somewhere in my computer however it could be NoScript stopped 94.247.2.195 from taking me somewhere I did not want to go.
I believe the answer is the second option. The address won't be in your computer, unless you've bookmarked it. What you've instructed Noscript to do is exactly how it should be used.

It can’t be in your computer or NoScript wouldn’t be detecting it (see below), you open a page and NoScript by default should block all scripts unless you specifically allow them. Now you have NoScript set up to constantly ask you if it is OK to run x script (Options, Notifications, Show message about blocked scripts), this would drive me bonkers and I have it disabled.

Unless there is malware on your system that is opening a web page in your browser (and that doesn’t seem to be the case), then NoScript shouldn’t have cause to notify you.

We’ve been seeing alot of these types of hacks lately.

It’s usually caused by a virus on the computer that uploads to the website. The virus monitors FTP traffic and since FTP usernames and passwords are sent in plain text, they can read that and then login to your website as you and add their malicious code.

You might look for something like the following on your website:

The actual encoded characters might be somewhat different but this code actually deobfuscates to:

Which is what you’re claiming is being blocked.

Step 1: change your FTP password to your site
Step 2: Clean your computer with Avast
Step 3: Remove the javascript code from your webpages. It’s typically in many spots on the same webpage and on multiple pages.

After changing your FTP password do not upload to your site again until you’ve cleaned your PC.

If you have any further questions, please PM me.