Jump to content


Photo

91.215.158.80 false positive?


  • Please log in to reply
53 replies to this topic

#21 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 29 February 2012 - 03:36 AM

So you are here blocking whole IP range 91.215.156.0 - 91.215.159.255. Such a way you are blocking many innocent website in whole range and i can believe it
that MB team do it in such a way.

But back to one IP address from the whole range 91.215.156.0 - 91.215.159.255, back to IP address 91.215.158.80

It looks as there is not anything wrong with IP address 91.215.158.80. If there is something wrong then show me any of the malicious site below (all using IP address 91.215.158.80) and if there is not anything wrong, then please unblock IP address 91.215.158.80.

I'm asking again and again and again to show me evidence what is wrong 91.215.158.80. Do not block 91.215.158.80 becasue of some other IP address in same IP range. You should never do it such a way. It is completely wrong.

If there is one killer who living in one city then it does not mean that all citizens in that city are killers. And logical from MB is that all citizen in that city are killers.

It is exactly what you are doint for IP ranges 91.215.156.0 - 91.215.159.255. Because of one or two or even 100 wrong IP addresses you are blocking 10.000.


List of website using 91.215.158.80

www.ibrowse-dev.net
www.wordpressthemespark.com
www.costdental.org
www.theartofslowtravel.com
www.paulsmithsuk.com
microshots.org
www.proxyserverprivacy.com
www.pangasinandentist.com
www.ip-address.org
atacsolutions.com
www.adentistfind.com
neurontin.org
itsmynortheast.com
spotceleb.com
picturenames.com
home-design-ideas.net
www.maorlevi.com
soccermust.com
www.tezeo.com
www.afhussey.co.uk
www.medcates.com
edhardypro.com
latest-business.com
medica-now.com
bopabikers.com
www.collectionbuddy.com
celebrityflux.com
www.frantroadclinic.co.uk
www.flowforums.com
fuji.drillspirits.net
unicoinvest.com
www.marasusa-apartments.com
heykessy.com
www.ant-comics.com
goalbite.com
mega-webhosting.net
indianbee.com
steltect.com
www.undercovershadows.co.uk
www.petaworld.com
www.metalcreationsuk.co.uk
www.kidviduk.com
www.xhtmltemplates.eu
www.latestdentalnews.com
www.b4lhost.com
www.youdownload.newdigest.com
www.picturenames.com
www.robertsandson.co.uk
www.hotel-penarth.com
nice-items.com
www.warpdt.co.uk
www.web2design.gr
luxusdesignideas.com
intothenightgames.com
rakebackfulltilt.net
www.somer-solvit.co.uk
www.happypaws.org.mt
blog.atacsolutions.com
www.restorick.co.uk
starmountaingems.com
www.dora-explorer.co.uk
thethird.dk
www.lazertraxx.com
www.textbookwarehouse.co.uk
luxurydecoratingideas.com
celebrity-hub.com
www.costablancawriters.com
furnitureinteriorideas.com
marckerstein.com
www.yesbluff.com
www.lazytown-mall.co.uk
www.miditracks.co.uk
www.blitzkrieg.biz
www.londoncognitivetherapy.co.uk
homefurnituredesignideas.com
lokovita.net
www.zariex.com
agniveer.org
www.airsender.com
tfroc.net
www.webio.ro
www.sunpoker.biz
gaff.tv
www.tank-engine-thomas.co.uk
www.unlockworks.com
ethnologe.com
www.800-number.net
www.worldcup2010store.info
emailfaxphone.net
popconreality.com
www.roadbangkok.com
www.heathfieldscaffolding.co.uk
joaoluis.eu
www.venteasperge-france.com
fingerspace.co.uk
ruta47.com
bawal.com
photoblog.robbysmets.be
mikehillier.com
davidecanali.com
imillardplumbingandheating.co.uk
www.bestnewspaper.info
www.meddling-kids.co.uk
pinballroulette.org.uk
simsgalerie.com
www.simcookie.com
www.paintedcakes.net
juxtaposing.com
www.freetv-home.co.uk
satori.juxtaposing.com
www.prcboardexamresultsph.com
dmr.juxtaposing.com
www.fuelbillslashed.com
www.rethymnonhotels.eu
blog.mikehillier.com
www.ink-cartridge-mall.co.uk
leadership-qualities.net
restarick.org
www.amigaf1.co.uk
siberian-larch.com
www.manilastars.com
www.forum-camioane.com
www.lovedogmusic.co.uk
www.charlie-lola.co.uk
www.simonatomarchio.net
www.senshinkai.net
www.hotels2mykonos.com
www.promeco.dk
www.shadowsradio.co.uk
drillspirits.net
www.stp.ee
uhl.juxtaposing.com
cd.juxtaposing.com
www.bestread.info
www.toll-free-numbers.org
www.informationaboutcaves.net
www.handheldgpsuk.co.cc
www.toys-4-tots.co.uk
www.deepfryershop.co.uk
www.rukino-blog.info
www.edgarcollection.com
www.yoga-mall.co.uk
www.coachhandbags.eu
www.silverprice24.info
jointproblemsdogs.com
www.cheapheadphonesuk.co.cc
www.olgartrujillo.com
comics-home.com
www.dominikfejer.com
forum.popconreality.com
applicationinterface.net
house-infrance-for-sale.com
www.indeicy-sewernoiameriki.info
some.randomhash.net
ucl.juxtaposing.com
premiumthemewordpress.net
www.getyourlogo.in
www.kontiki-bonaire.com
www.acetrategic.com
otakucy.com
pvrbugs.futaura.co.uk
www.wegdromen.be
homeluxurydesign.net
www.filmy-vam.info
photo.greenfox.ro
worldwidebarguide.com
allmovieplace.com
kero-pics.com
vpsforscrapebox.com
www.demerdzhi.info
farumkyokushin.dk
the6o.com
www.genrih-muller.info

#22 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 29 February 2012 - 04:05 AM

There's actually over 350 using that IP at present .....

Your analogy is also invalid

As for giving you the evidence, you can have it once it is collated and re-verified and not before then.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#23 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 29 February 2012 - 04:15 AM

Here is evidence that you have never contacted Downtownhost (who is directly responsible for managing server related to IP address 91.215.158.80).:

---------------------------------------------------

Hello ...,

There is no issue with 91.215.158.80 and no other customer complaint about IP blockage yet.

Our data center have very restrict policy for abuse issues. If possible please tell them to send us "sheer volume of abuse logs" at support@downtownhost.com and we will take care of it.


Kind Regards,
Scott Pates
Downtownhost

#24 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 29 February 2012 - 04:35 AM

Of course (funny how most associated with blackhats tend to say the same thing .....- sadly you'll find the DC knows otherwise, I've been working with them for quite some time now)

And little hint: trying to insult the person working on this is just going to get you ignored.

As an aside by the way, I don't know what your connection to the IP is, but lovely tidbit for you - whilst downtownhost.com cleaned one of the files on the site housing the exploit, he didn't clean it properly, which left at least 2 other files still housing exploit code. He was sent another e-mail about this earlier.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#25 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 01 March 2012 - 03:19 AM

whilst downtownhost.com cleaned one of the files on the site housing the exploit, he didn't clean it properly, which left at least 2 other files still housing exploit code. He was sent another e-mail about this earlie


The last information that i have is that all the malware files are cleaned now. Can you confirm it and wonder when you gonna to release the blockade of IP address 91.215.158.80.

#26 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 01 March 2012 - 03:25 AM

I'm planning on finishing this particular case up today (as mentioned previously, this isn't the only case I'm working on - there's well over 3,000 others).

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#27 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 03 March 2012 - 06:32 PM

I'm planning on finishing this particular case up today (as mentioned previously, this isn't the only case I'm working on - there's well over 3,000 others).


Hmmm.... We are 3 days later and nothing has been changed. Not at all.

#28 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 04 March 2012 - 09:31 AM

That's correct. The host/ASN have just been sent a list of items still needing suspended/cleaned before I'll be prepared to remove the block.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#29 JorgeC

JorgeC

    New Member

  • Members
  • Pip
  • 12 posts

Posted 04 March 2012 - 11:25 AM

My Name is Jorge Catena and I own DowntownHost LLC, which is one of the companies in question here.

Malwarebytes ask us to remove some sites (abandoned spammed blogs , /according to malwarebytes and don't know how they know) fake med sites or forums not even hosted in our server but with the domain pointing to it), even they ask us to remove sites which have problems with clickbank in order of get the IP block released, we wont tolerate nor we are going to accomplish with such extorsive request. Unfortunately for those who use the software, that IP is going to be blocked according to Steven Burn which works for Malwarebytes.

Just wanted to say our side of the history.

#30 JorgeC

JorgeC

    New Member

  • Members
  • Pip
  • 12 posts

Posted 04 March 2012 - 11:27 AM

By the way, the sites with malwares were already cleaned and we are closing sites selling Counterfeit, but for what I was told, that's not enough and they require to remove the other sites too.

#31 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 04 March 2012 - 11:59 AM

I'm surprised that MBAM does not only block exploit websites (actually not website but IP address/ IP ranges with a couple hundred/ thousand website)
but also website with suspicious content (who can take such a role to decide what is good content and what not) - without any exploit.
And the websites that supposedly cheats Clickbank or whatever - that's are again website without exploit?

I'm seriously thinking about dropping of using MBAM because of very bizarre dealing with supposedly exploits and
about the way that websites are blocked (option "website blocking" should be renamed to "IP address" blocking.
You block actually not website but you block IP addresses with thousand websites).

:angry: :angry:

#32 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 04 March 2012 - 04:08 PM

Actually, to put the story straight, the issues with Clickbank wouldn't have kept the IP blocked (indeed, nor would the splogs if they'd only been linking to non-harmful content) - the rest of it however, does.

Those for example, heavily spammed, isn't just spam linking to the odd fraud - it's spam linking to everything else, and isn't just one or two posts or one site - the guy has several sites, all of which have the same issues. You're the one that has refused to do anything about it (and FYI, the domains resolve to your IP, there isn't a redirect anywhere else - you claimed the content is pulled from elsewhere server-side, not client-side, which makes it YOUR problem as well as wherever it is being pulled from).

As for your refusal to deal with it (and given the content of your other IPs, I wasn't surprised at your refusal ......), I've already escalated the cases to your upstream, so will be letting them and LE handle it (little hint: your host is on a Leaseweb IP range - and they do not permit fake meds for example).

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#33 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 04 March 2012 - 04:13 PM

I'm surprised that MBAM does not only block exploit websites (actually not website but IP address/ IP ranges with a couple hundred/ thousand website)
but also website with suspicious content (who can take such a role to decide what is good content and what not) - without any exploit.
And the websites that supposedly cheats Clickbank or whatever - that's are again website without exploit?


Clickbank issues aren't the cause for the block, and never have been, nor would they ever be.

As for the rest, had it only been a single domain at issue on a shared server, or less domains than actual "legit" domains, it wouldn't have been blocked. It's the volume of domains with issues out-numbering the legit domains, that are the cause for the block.

This particular IP is going to be continued to be blocked due not only to the domains with issues, but the hosts point blank refusal to deal with such.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#34 JorgeC

JorgeC

    New Member

  • Members
  • Pip
  • 12 posts

Posted 04 March 2012 - 05:30 PM

Actually, to put the story straight, the issues with Clickbank wouldn't have kept the IP blocked (indeed, nor would the splogs if they'd only been linking to non-harmful content) - the rest of it however, does.

Those for example, heavily spammed, isn't just spam linking to the odd fraud - it's spam linking to everything else, and isn't just one or two posts or one site - the guy has several sites, all of which have the same issues. You're the one that has refused to do anything about it (and FYI, the domains resolve to your IP, there isn't a redirect anywhere else - you claimed the content is pulled from elsewhere server-side, not client-side, which makes it YOUR problem as well as wherever it is being pulled from).

I really don't care if there's one link or 1 million of post spamming in a forum, I wont ask to the account owner to close the forum because of that, and you have no right to request it either.

As for your refusal to deal with it (and given the content of your other IPs, I wasn't surprised at your refusal ......), I've already escalated the cases to your upstream, so will be letting them and LE handle it (little hint: your host is on a Leaseweb IP range - and they do not permit fake meds for example).

Actually, you are lying here and you do it on your next message too, I refuse to remove contents of a customer want to keep on the server that are not illegal nor violate anything of our TOS. You don't enforce our TOS we do it.

#35 JorgeC

JorgeC

    New Member

  • Members
  • Pip
  • 12 posts

Posted 04 March 2012 - 05:33 PM

Clickbank issues aren't the cause for the block, and never have been, nor would they ever be.

As for the rest, had it only been a single domain at issue on a shared server, or less domains than actual "legit" domains, it wouldn't have been blocked. It's the volume of domains with issues out-numbering the legit domains, that are the cause for the block.

This particular IP is going to be continued to be blocked due not only to the domains with issues, but the hosts point blank refusal to deal with such.

Another example of you lying, saying that there are more "unlawful" than "legit" is completely untrue. The number of domains that you accuse as "unlawful" is about the 10% of the domains, however, most of them are those kind of sites on where you think to have the right to tell to what content a site should have even if it does violate any law.

#36 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 04 March 2012 - 05:38 PM

I really don't care if there's one link or 1 million of post spamming in a forum, I wont ask to the account owner to close the forum because of that, and you have no right to request it either.


I asked you to get it cleaned or suspended - there's a difference.

Actually, you are lying here and you do it on your next message too, I refuse to remove contents of a customer want to keep on the server that are not illegal nor violate anything of our TOS. You don't enforce our TOS we do it.


How am I lying? I asked you to take action, you refused - plain and simple.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#37 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 04 March 2012 - 05:43 PM

Another example of you lying, saying that there are more "unlawful" than "legit" is completely untrue. The number of domains that you accuse as "unlawful" is about the 10% of the domains, however, most of them are those kind of sites on where you think to have the right to tell to what content a site should have even if it does violate any law.


Errr no, think you'll find I'm not. I didn't mention unlawful. I said the list of sites needed dealt with. I deliberately didn't say how they needed dealt with, due to some simply needing cleaned (i.e. those heavily spammed). I also deliberately didn't bother sending you the list of splogs, as I knew you wouldn't deal with those (there were 78 splogs alone).

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#38 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 04 March 2012 - 05:45 PM

With specific regard to those heavily spammed, I believe I've identified where the confusion came from;

* Due to the sheer number of domains involved, I suspect the owner of the sites is actually fully aware of the activities, so would appreciate their termination rather than clean-up


My apologies for the confusion on this one

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#39 JorgeC

JorgeC

    New Member

  • Members
  • Pip
  • 12 posts

Posted 04 March 2012 - 05:49 PM

I asked you to get it cleaned or suspended - there's a difference.


So? I don't really care, you can't nor should ask to a host to clean a forum or suspend the account, is just an abandoned forum with spam links, big deal.

How am I lying? I asked you to take action, you refused - plain and simple.


I refused to remove sites that are not illegal, I did took actions with countefied sites and with sites with malware, that's how you are lying.

#40 JorgeC

JorgeC

    New Member

  • Members
  • Pip
  • 12 posts

Posted 04 March 2012 - 05:53 PM

Errr no, think you'll find I'm not. I didn't mention unlawful. I said the list of sites needed dealt with. I deliberately didn't say how they needed dealt with, due to some simply needing cleaned (i.e. those heavily spammed). I also deliberately didn't bother sending you the list of splogs, as I knew you wouldn't deal with those (there were 78 splogs alone).

No, I wont find you are not, I have full access to the server, you don't, you are even asked that I clean a forum that I already told you that's not hosted in our server, there's a mod_rewrite redirect to a URL that I already told you and that you can check that is not in our server, besides of that, in over 10 years in this industry is the first that that I have to ran accross of somebody telling us that we have to clean or suspend a forum because there's spam on it, really ridiculous.

Besides that I really don't know who you think to are to request that we remove splogs, no, I wont remove them, nor will request to the owners to do it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users