Jump to content


Photo

91.215.158.80 false positive?


  • Please log in to reply
53 replies to this topic

#1 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 11 February 2012 - 02:49 PM

As of today MBAM is blocking this IP: 91.215.158.80 (www.ip-address.org)

I am wondering if this is a false positive and if not, what the reason is for it being blocked.

Thank you for the clarification! :)
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#2 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 11 February 2012 - 03:35 PM

It's not an F/P. I'm currently working with WorldStream to get their ranges cleaned up.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#3 Elise

Elise

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 8,721 posts
  • Gender:Female
  • Location:Romania

Posted 11 February 2012 - 03:49 PM

Thanks again! :)
regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

Posted Image


#4 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 26 February 2012 - 03:09 PM

IP-address.org accidentally blocked for sure. Further investigation for IP address 91.215.158.80 show that this IP address is not listed on any website as suspicious IP Address.
So hopefully you will unblock this IP address soon.

#5 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 26 February 2012 - 04:25 PM

At the time of blocking, that site wasn't on 91.215.158.80.

As there is still abuse (exploits primarily) present on this IP, regardless of the presence of ip-address.org, it can't currently be unblocked (the abuse isn't restricted to a single site or it wouldn't have been blocked)

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#6 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 27 February 2012 - 02:29 AM

http://www.ip-addres...er/ip-whois.php show that IP-address.org use as nameservers
Name Server:EU1.DOWNTOWNHOST.COM
Name Server:EU2.DOWNTOWNHOST.COM

I guess that you must know where is exactly abuse. (Web site that have been exploited on the server)
If you contact webhosting company DOWNTOWNHOST.COM - http://downtownhost.com/
then i'm sure that they will remove exploit directly.

If you do not have time let me know and i will contact them regarding exploit and issue with MB.

#7 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 27 February 2012 - 02:32 AM

The issues were reported on the same day they were found.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#8 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 27 February 2012 - 03:29 AM

The issues were reported on the same day they were found.


To WorldStream.nl (i guess) or to Downtownhost.com?

#9 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 27 February 2012 - 03:53 AM

The IP range is owned by Leaseweb, not WorldStream. I'm drafting a follow-up to get a status report as I write this, so we can get this resolved and unblocked.

/edit

Just realised where the confusion over ownership came from, that was my fault (was dealing with a WorldStream case at the same time as first replying to this thread and wrote WorldStream when I should've wrote Leaseweb)

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#10 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 27 February 2012 - 04:02 AM

I'm drafting a follow-up to get a status report as I write this, so we can get this resolved and unblocked.


Excellent that this gonna to be resolved and unblocked.


btw

Whois Lookup show http://www.infinitetech.eu as owner of IP range. And they probably rent out dedicated server to downtownhost.com because they are directly behind server with IP address 91.215.158.80


http://www.ip-addres...er/ip-whois.php

Results for 91.215.158.80 :

Information related to '91.215.156.0 - 91.215.159.255'

inetnum: 91.215.156.0 - 91.215.159.255
netname: INFINITE-TECH-PI
descr: Infinite Technologies Internet Solutions Limited
remarks: Managed VPS, Cloud Computing & Dedicated Servers
country: NL
admin-c: IT1314-RIPE
tech-c: IT1314-RIPE
org: ORG-ITIS3-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-lower: RIPE-NCC-END-MNT
mnt-by: ITECH-MNT
mnt-domains: ITECH-MNT
mnt-routes: ITECH-MNT
remarks: =======================
remarks: www.InfiniteTech.eu
remarks: =======================
source: RIPE # Filtered

organisation: ORG-ITIS3-RIPE
org-name: Infinite Technologies Ltd
org-type: OTHER
address: www.InfiniteTech.eu
mnt-ref: ITECH-MNT
mnt-by: ITECH-MNT
source: RIPE # Filtered

role: Infinite Technologies
address: www.InfiniteTech.eu
remarks: =======================
remarks: abuse notifications to be sent only via email
abuse-mailbox: abuse@infinitetech.eu
remarks: phone, fax & email for technical support only
phone: +31 10-3400043
fax-no: +31 10-7131560

remarks: =======================
admin-c: IT1314-RIPE
tech-c: IT1314-RIPE
nic-hdl: IT1314-RIPE
mnt-by: ITECH-MNT
source: RIPE # Filtered

% Information related to '91.215.158.0/23AS16265'

route: 91.215.158.0/23
descr: Infinite Technologies
origin: AS16265
remarks: Infinite Technologies
mnt-by: OCOM-MNT
source: RIPE # Filtered

% Information related to '91.215.156.0/22AS16265'

route: 91.215.156.0/22
descr: Infinite Technologies
origin: AS16265
mnt-by: OCOM-MNT
source: RIPE # Filtered

#11 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 27 February 2012 - 04:13 AM

Yep, I know.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#12 trrflf

trrflf

    New Member

  • Members
  • Pip
  • 4 posts

Posted 28 February 2012 - 07:42 AM

My company has a server with +400 different domains at IP 91.215.156.X, same problem here.

I got a complaint from a customer that lost a sale because of incorrect identification of our IP as malware source, we also have problems explaining the customer this is a false positive and may affect our company reputation, luckily i found this thread, we are sending him this.

Of course we are recommending customer to uninstall malwarebytes and look for other malware protection because malwarebytes blacklists IP ranges instead of domains and is unable to provide correct and accurate identification of malware sites.

How reliable can malwarebytes be if a whole network is blacklisted because of 1 single site? only our IP has 400 domains, sorry but i desagree your blacklisting method, if one site has been infected by malware there is no reason to blacklist the whole server, blacklist only the infected site.

Also i would appreciate having a way to check the original complaint for our IP to suspend service, contact customer, etc, at this time we didn't receive a complaint for our IP

#13 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 28 February 2012 - 07:57 AM

You keep mentioning your IP, but you've not mentioned which IP you actually have, which means I can't look into the possibility of an exception for it.

The block was never due to a single domain or a single IP.

As for being unable to provide correct and accurate data, the data was passed to the DC at the time of identification and several times since, and is only now being taken care of.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#14 trrflf

trrflf

    New Member

  • Members
  • Pip
  • 4 posts

Posted 28 February 2012 - 08:09 AM

You keep mentioning your IP, but you've not mentioned which IP you actually have, which means I can't look into the possibility of an exception for it.

The block was never due to a single domain or a single IP.

As for being unable to provide correct and accurate data, the data was passed to the DC at the time of identification and several times since, and is only now being taken care of.


Of course, for security reasons i shouldn't disclose the exact IP on a public forum.

In fact it doesn't matter as you seem to be blocking 1024 IPs for 1 malware case, obviously unreasonable, why not blocking the whole internet? this way you are sure nobody gets malware.

Consider it, if users get too many false positives will uninstall the software

#15 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 28 February 2012 - 08:33 AM

Security reasons? Absolute rubbish. If you're not going to mention the IP, I can't help you.

Who said it was 1 malware case?

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#16 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 28 February 2012 - 05:41 PM

Malwarebytes is still blocking 91.215.158.80 It is unbelievable.

Have you contacted www.InfiniteTech.eu? Have you contacted Downtownhost (they did not have receive any note from you)?

What are doing guys here? You have not tell publicly what is issue with 91.215.158.80? And not only 91.215.158.80. There are many other IP addresses in same IP range blocked.

#17 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 28 February 2012 - 06:16 PM

I am in touch with them, yes, and have re-sent some issues over (some have been dealt with, others haven't). I'm now collecting the issues together for them.

Not quite as simple as you'd like I'm afraid, given some of the people they're playing home to.

As mentioned, the block will be removed when the issues found, are resolved. This is also not the only case I'm working on, so isn't going to be unblocked in 5 minutes.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook


#18 trrflf

trrflf

    New Member

  • Members
  • Pip
  • 4 posts

Posted 28 February 2012 - 09:47 PM

If there are no issues on 91.215.158.80 there is no reason to block it

blocking entire ranges is a very bad idea

#19 deny

deny

    New Member

  • Members
  • Pip
  • 26 posts

Posted 29 February 2012 - 02:55 AM

I understand that

I am in touch with them, yes, and have re-sent some issues over (some have been dealt with, others haven't). I'm now collecting the issues together for them.

Not quite as simple as you'd like I'm afraid, given some of the people they're playing home to.

As mentioned, the block will be removed when the issues found, are resolved. This is also not the only case I'm working on, so isn't going to be unblocked in 5 minutes.


Thank you for reply but for myself in not clearly here why you block whole IP range?
It is IP range 91.215.156.0 - 91.215.159.255

So i have tried to access randomly chosen IP address between 91.215.156.0 - 91.215.159.255 and all of them are blocked.
You told in other thread that it is not true that you block whole range and it is hard to believe because range 91.215.156.0 - 91.215.159.255 is typical example that whole range has been blocked and there are probably 10.000 innocent website.

I'm asking again what is wrong with IP address 91.215.158.80? And if there is any malicious website then let me know which one and there will be directly action to isolate that IP address.

Isn;t that easy? But you tell every time "I am in touch with them". I can hard believe it that Downtownhost (known as excellent company) have received notice and have not do anything.

#20 MysteryFCM

MysteryFCM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 5,389 posts
  • Gender:Male
  • Location:Tyneside, UK

Posted 29 February 2012 - 03:19 AM

As mentioned previously, the issues aren't isolated to a single IP. It's just one of many with issues (not helped by its having a known blackhat host (B4LHost) living on it), a list of which, I'm collating and re-verifying to send across.

As for what is wrong with the IP - it's housing everything from malware to fraud et al.

And as for what I said, you'll find I said we don't always block ranges, not we never block ranges. It's a decision made on a case by case basis.

Please be advised, the more I've got to reply to this thread, the longer it is going to take to get everything done. As mentioned previously, this isn't the only case I am working on.

Steven Burn

Malware Intelligence Analyst


staff.png

Follow us: Twitter, Become a fan: Facebook





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users