Suspicious Host Connection - test.com 0.0.0.0


#1

I can’t figure out what this is, so I was wondering if anyone knew.
Glasswire has alerted me multiple times of a “Suspicious Host Connection”, which is Chrome connecting to test dot com with IP: 0.0.0.0. I scanned chrome and did malware/virus scans, nothing came up. I uninstalled Chrome and soon after Glasswire said my new browser was doing the same thing. Scans show nothing. I blocked test dot com with my firewall and it still happens. Stumped at this point. Should I be concerned? What should I do?


#2

https://virustotal.com/en/url/f7d2b6b353e066fd98deb18620c441bff011929be9ab491efec088898622cf48/analysis/

Securi Site Check shows Test.com as malicious for some reason.


#3

I’m experiencing the same issue. Scanned with both antivirus and malwarebytes, clean results. Weird. In my case, it happens with multiple browsers. Will keep an eye on it


#4

i am also getting this alert … AdwCleaner finds nothing nor does hitman pro


#5

Securi is listing it as a hacked malware distributor. I can’t figure out how it’s getting the browsers to attempt connection.


#6

@Michael_Rose

VirusTotal has some manual votes from users there who show it’s somehow related to malware also but we can’t seem to find any details about what’s wrong and why Chrome would randomly connect there.


Suspicious Host Connection any advice on this?
#7

I found out what the issue with this is, at least for me.

Using the built in browser in Steam, I can reliably reproduce this error when browsing the Darkest Dungeon wiki. Not always, but it definitely seems related to an ad/popup or redirect or some sort of (undesirable call/action); one which I never experience with Chrome itself since I run Ublock Origin.

So for those of you getting the error in Chrome itself - you may want to run Ublock Origin (which is generally a good idea anyways, and, yes, you can disable it on a site by site basis if you want).

I’ll take a guess that the 0.0.0.0.0 IP is due to some hosts file customization? Maybe an AV product has added records or makes changes? That’s the one thing I don’t have any visibility or experience with.


#8

Advertising network used by Yahoo, has been malicious in the past with malvertising.


#9

I’ve also seen this flag and have found malicious proxies running in the background of my dads network. If you do a search on “social engineering exploits” or “metasploit” you end up finding some youtube videos of ethical hackers teaching classrooms of people on the dangers of these types of attacks.

But again i can not speak to the reasons someone else may have this IP address. But in my case someone else is using it to target out computers.


#10

Gasuko

Like IP 127.0.0.0, the IP 0.0.0.0 is an unroutable address as far as an external network is concerned. Simply put this means if any external network address (web URL) is assigned the 0.0.0.0 IP (in the “hosts” file for example) any information attempted to be sent to that URL will not be routed to the external network (internet) since 0.0.0.0 is not a legitimate IP address for any external networks. This has been used by some security products as a way of denying malicious programs from being able to “phone home” or send information outside of the “local” server/computer.

This is a simplistic explanation and more can be found by googling “localhost”, “0.0.0.0”, “127.0.0.0” and following related articles.


#11

I still don’t know what is causing it or how to efficiently get rid of it. I reformatted my hard drive and the problem went away for months. However it came back soon after I turned off adblock for some normal and (so I thought) safe websites that I typically frequent. Before reformatting, I should note that I did not use any ad blocking software. If anyone knows a better way to fix the problem, I’m all ears.


#12

@Gasuko

If you feel it’s a false positive you can go to your GlassWire settings, then security, then disable our suspicious host monitor.


#13

I have the same issue. For me its the Microsoft Edge Content Process causing this issue. File name microsoftedgecp.exe. Virus scans show nothing. Is this a bug in Glasswire? Because from what I gather from the forums is that different programs as exhibiting this issue. The only constant is Glasswire. Please help as every time the suspicious host alert pops up, I get paranoid. I’ve uploaded some screen shots. Thanks.


#14

I’d like to add that I have Windows 10 with latest build/updates. Using built in Windows defender/Firewall. Only program installed to monitor network is Glasswire. Also using a VPN service from VyprVpn. Other than that there are no virus, firewall or network monitoring programs except what’s already built into Windows.


#15

I will ask our team to remove Test .com from our suspicious host list.


#16

Ok. But any ideas on why is Glasswire showing 0.0.0.0 as Test .com?

I don’t know if using a VPN could be causing this issue.


#17

We have removed this domain from our suspicious host lists.


#18

I am also facing same issue. my two sites showing the same issue. I scanned site with many known scanners. Sites are clean. Even confirmed with the data center too.

freshernaukrijobs (edited by GlassWire admin)
blog-e-pedia (edited by GlassWire admin)

Please remove the site from suspicious list.

Thanks,


#19

@nirajnagar

I will check this, thank you.


#20

@nirajnagar, heck no! You need to get the warnings cleared from the security blacklists listed below.

@Ken_GlassWire, GlassWire should keep them on the suspicious list until the warnings are removed from Virustotal.com:

freshernaukrijobs
https://www.virustotal.com/#/url/fdb3b177b87ddbffa82d146b5ada508bd67f7a78d744d177af2a8b1011ff3e75/detection
BitDefender Malware
CyRadar Malicious
Malwarebytes hpHosts Phishing
DNS8 Suspicious

blog-e-pedia
https://www.virustotal.com/#/url/4c0be67d148a4db036a5c7b37bfdb2d7afdbd7e3e615228ed1f08082169c618d/detection
AutoShun Malicious
BitDefender Phishing
Kaspersky Phishing
Sophos AV Malicious
Forcepoint ThreatSeeker Suspicious