[lucamsx]

Hey everyone,
after a long break i installed sa-mp again. After opening the "internet tab", samp.exe starts a series of outgoing connections to (seemingly) random IP addresses - Malwarebytes Antimalware instantly blocks them. i managed to screencap a few of the MBAM warnings.

Most, if not all - haven't checked every single one - ip addresses are russian/ukrainian/lithuanian, googling these results in hosting websites, server forums or server advertisements on various sites. Why does it happen only with IPs from few specific countries, and what's with the port 63294? Has anyone had the same issue? Or it's just a some kind of false alarm?

[cuber]

This never occurred to me. Where did you download GTA SA/SAMP from?

[lucamsx]

samp installer - straight from sa-mp.com, GTA SA modded from a copy i kept on my pendrive with sa-mp stuff. Never had issues with it, also mods are just cars and weapons models, so i think that's not the case.

[Xhizors]

This happens when you opens Internet/Hosted tab? And this is a connection cookie from the client.
I have found that malwarebytes are too strict sometimes

[lucamsx]

Tried messing around in Hosted tab - nothing happens. But then i opened Internet tab, few seconds and..

Also tried to connect with two of addresses in the first screenshot, but port has changed to 60856, moments later there was an attempt at port 49870.

[Xhizors]

Quote:

Originally Posted by lucamsx Tried messing around in Hosted tab - nothing happens. But then i opened Internet tab, few seconds and.. Also tried to connect with two of addresses in the first screenshot, but port has changed to 60856, moments later there was an attempt at port 49870.

I bet it is the connection cookie. The cookie happens on random ports from 60000 and up. And is used to get server info into the samp client.
I think Malwarebytes alerts because these IPs does have bad web-reputation score.

The IP adress below 93.170.123.206 has reputation score of 40 which is "Suspected"
Check yourself
http://www.brightcloud.com/tools/url-ip-lookup.php

And why does these IPs have bad reputation?
There is many reasons.. Maybe these IPs was used to spread botnets and phishing

In other words:
This is harmless for you. Your malwarebytes is notifying you these hosters has bad reputation than others.

[dugi]

Looks like its a malwarebytes false positive, all those IPs host sa-mp servers and when you open the internet list the server browser sends queries to those servers.

[lucamsx]

So.. problem solved. Thank you guys.

[Kalcor]

Quote:

Originally Posted by lucamsx So.. problem solved. Thank you guys.

Problem solved? There was never any problem. It's the server browser behaving normally. It queries servers for information about number of players and ping etc.

[lucamsx]

After explanation, by saying "problem" i rather meant the false positive MBAM warnings, not the queries itself.