Elise

91.215.158.80 false positive?

54 posts in this topic

As of today MBAM is blocking this IP: 91.215.158.80 (www.ip-address.org)

I am wondering if this is a false positive and if not, what the reason is for it being blocked.

Thank you for the clarification! :)

Share this post


Link to post
Share on other sites

It's not an F/P. I'm currently working with WorldStream to get their ranges cleaned up.

Share this post


Link to post
Share on other sites

IP-address.org accidentally blocked for sure. Further investigation for IP address 91.215.158.80 show that this IP address is not listed on any website as suspicious IP Address.

So hopefully you will unblock this IP address soon.

Share this post


Link to post
Share on other sites

At the time of blocking, that site wasn't on 91.215.158.80.

As there is still abuse (exploits primarily) present on this IP, regardless of the presence of ip-address.org, it can't currently be unblocked (the abuse isn't restricted to a single site or it wouldn't have been blocked)

Share this post


Link to post
Share on other sites

http://www.ip-address.org/tracer/ip-whois.php show that IP-address.org use as nameservers

Name Server:EU1.DOWNTOWNHOST.COM

Name Server:EU2.DOWNTOWNHOST.COM

I guess that you must know where is exactly abuse. (Web site that have been exploited on the server)

If you contact webhosting company DOWNTOWNHOST.COM - http://downtownhost.com/

then i'm sure that they will remove exploit directly.

If you do not have time let me know and i will contact them regarding exploit and issue with MB.

Share this post


Link to post
Share on other sites

The issues were reported on the same day they were found.

To WorldStream.nl (i guess) or to Downtownhost.com?

Share this post


Link to post
Share on other sites

The IP range is owned by Leaseweb, not WorldStream. I'm drafting a follow-up to get a status report as I write this, so we can get this resolved and unblocked.

/edit

Just realised where the confusion over ownership came from, that was my fault (was dealing with a WorldStream case at the same time as first replying to this thread and wrote WorldStream when I should've wrote Leaseweb)

Share this post


Link to post
Share on other sites
I'm drafting a follow-up to get a status report as I write this, so we can get this resolved and unblocked.

Excellent that this gonna to be resolved and unblocked.

btw

Whois Lookup show http://www.infinitetech.eu as owner of IP range. And they probably rent out dedicated server to downtownhost.com because they are directly behind server with IP address 91.215.158.80

http://www.ip-addres...er/ip-whois.php

Results for 91.215.158.80 :

Information related to '91.215.156.0 - 91.215.159.255'

inetnum: 91.215.156.0 - 91.215.159.255

netname: INFINITE-TECH-PI

descr: Infinite Technologies Internet Solutions Limited

remarks: Managed VPS, Cloud Computing & Dedicated Servers

country: NL

admin-c: IT1314-RIPE

tech-c: IT1314-RIPE

org: ORG-ITIS3-RIPE

status: ASSIGNED PI

mnt-by: RIPE-NCC-END-MNT

mnt-lower: RIPE-NCC-END-MNT

mnt-by: ITECH-MNT

mnt-domains: ITECH-MNT

mnt-routes: ITECH-MNT

remarks: =======================

remarks: www.InfiniteTech.eu

remarks: =======================

source: RIPE # Filtered

organisation: ORG-ITIS3-RIPE

org-name: Infinite Technologies Ltd

org-type: OTHER

address: www.InfiniteTech.eu

mnt-ref: ITECH-MNT

mnt-by: ITECH-MNT

source: RIPE # Filtered

role: Infinite Technologies

address: www.InfiniteTech.eu

remarks: =======================

remarks: abuse notifications to be sent only via email

abuse-mailbox: abuse@infinitetech.eu

remarks: phone, fax & email for technical support only

phone: +31 10-3400043

fax-no: +31 10-7131560

remarks: =======================

admin-c: IT1314-RIPE

tech-c: IT1314-RIPE

nic-hdl: IT1314-RIPE

mnt-by: ITECH-MNT

source: RIPE # Filtered

% Information related to '91.215.158.0/23AS16265'

route: 91.215.158.0/23

descr: Infinite Technologies

origin: AS16265

remarks: Infinite Technologies

mnt-by: OCOM-MNT

source: RIPE # Filtered

% Information related to '91.215.156.0/22AS16265'

route: 91.215.156.0/22

descr: Infinite Technologies

origin: AS16265

mnt-by: OCOM-MNT

source: RIPE # Filtered

Share this post


Link to post
Share on other sites

My company has a server with +400 different domains at IP 91.215.156.X, same problem here.

I got a complaint from a customer that lost a sale because of incorrect identification of our IP as malware source, we also have problems explaining the customer this is a false positive and may affect our company reputation, luckily i found this thread, we are sending him this.

Of course we are recommending customer to uninstall malwarebytes and look for other malware protection because malwarebytes blacklists IP ranges instead of domains and is unable to provide correct and accurate identification of malware sites.

How reliable can malwarebytes be if a whole network is blacklisted because of 1 single site? only our IP has 400 domains, sorry but i desagree your blacklisting method, if one site has been infected by malware there is no reason to blacklist the whole server, blacklist only the infected site.

Also i would appreciate having a way to check the original complaint for our IP to suspend service, contact customer, etc, at this time we didn't receive a complaint for our IP

Share this post


Link to post
Share on other sites

You keep mentioning your IP, but you've not mentioned which IP you actually have, which means I can't look into the possibility of an exception for it.

The block was never due to a single domain or a single IP.

As for being unable to provide correct and accurate data, the data was passed to the DC at the time of identification and several times since, and is only now being taken care of.

Share this post


Link to post
Share on other sites

You keep mentioning your IP, but you've not mentioned which IP you actually have, which means I can't look into the possibility of an exception for it.

The block was never due to a single domain or a single IP.

As for being unable to provide correct and accurate data, the data was passed to the DC at the time of identification and several times since, and is only now being taken care of.

Of course, for security reasons i shouldn't disclose the exact IP on a public forum.

In fact it doesn't matter as you seem to be blocking 1024 IPs for 1 malware case, obviously unreasonable, why not blocking the whole internet? this way you are sure nobody gets malware.

Consider it, if users get too many false positives will uninstall the software

Share this post


Link to post
Share on other sites

Security reasons? Absolute rubbish. If you're not going to mention the IP, I can't help you.

Who said it was 1 malware case?

Share this post


Link to post
Share on other sites

Malwarebytes is still blocking 91.215.158.80 It is unbelievable.

Have you contacted www.InfiniteTech.eu? Have you contacted Downtownhost (they did not have receive any note from you)?

What are doing guys here? You have not tell publicly what is issue with 91.215.158.80? And not only 91.215.158.80. There are many other IP addresses in same IP range blocked.

Share this post


Link to post
Share on other sites

I am in touch with them, yes, and have re-sent some issues over (some have been dealt with, others haven't). I'm now collecting the issues together for them.

Not quite as simple as you'd like I'm afraid, given some of the people they're playing home to.

As mentioned, the block will be removed when the issues found, are resolved. This is also not the only case I'm working on, so isn't going to be unblocked in 5 minutes.

Share this post


Link to post
Share on other sites

If there are no issues on 91.215.158.80 there is no reason to block it

blocking entire ranges is a very bad idea

Share this post


Link to post
Share on other sites

I understand that

I am in touch with them, yes, and have re-sent some issues over (some have been dealt with, others haven't). I'm now collecting the issues together for them.

Not quite as simple as you'd like I'm afraid, given some of the people they're playing home to.

As mentioned, the block will be removed when the issues found, are resolved. This is also not the only case I'm working on, so isn't going to be unblocked in 5 minutes.

Thank you for reply but for myself in not clearly here why you block whole IP range?

It is IP range 91.215.156.0 - 91.215.159.255

So i have tried to access randomly chosen IP address between 91.215.156.0 - 91.215.159.255 and all of them are blocked.

You told in other thread that it is not true that you block whole range and it is hard to believe because range 91.215.156.0 - 91.215.159.255 is typical example that whole range has been blocked and there are probably 10.000 innocent website.

I'm asking again what is wrong with IP address 91.215.158.80? And if there is any malicious website then let me know which one and there will be directly action to isolate that IP address.

Isn;t that easy? But you tell every time "I am in touch with them". I can hard believe it that Downtownhost (known as excellent company) have received notice and have not do anything.

Share this post


Link to post
Share on other sites

As mentioned previously, the issues aren't isolated to a single IP. It's just one of many with issues (not helped by its having a known blackhat host (B4LHost) living on it), a list of which, I'm collating and re-verifying to send across.

As for what is wrong with the IP - it's housing everything from malware to fraud et al.

And as for what I said, you'll find I said we don't always block ranges, not we never block ranges. It's a decision made on a case by case basis.

Please be advised, the more I've got to reply to this thread, the longer it is going to take to get everything done. As mentioned previously, this isn't the only case I am working on.

Share this post


Link to post
Share on other sites

So you are here blocking whole IP range 91.215.156.0 - 91.215.159.255. Such a way you are blocking many innocent website in whole range and i can believe it

that MB team do it in such a way.

But back to one IP address from the whole range 91.215.156.0 - 91.215.159.255, back to IP address 91.215.158.80

It looks as there is not anything wrong with IP address 91.215.158.80. If there is something wrong then show me any of the malicious site below (all using IP address 91.215.158.80) and if there is not anything wrong, then please unblock IP address 91.215.158.80.

I'm asking again and again and again to show me evidence what is wrong 91.215.158.80. Do not block 91.215.158.80 becasue of some other IP address in same IP range. You should never do it such a way. It is completely wrong.

If there is one killer who living in one city then it does not mean that all citizens in that city are killers. And logical from MB is that all citizen in that city are killers.

It is exactly what you are doint for IP ranges 91.215.156.0 - 91.215.159.255. Because of one or two or even 100 wrong IP addresses you are blocking 10.000.

List of website using 91.215.158.80

www.ibrowse-dev.net

www.wordpressthemespark.com

www.costdental.org

www.theartofslowtravel.com

www.paulsmithsuk.com

microshots.org

www.proxyserverprivacy.com

www.pangasinandentist.com

www.ip-address.org

atacsolutions.com

www.adentistfind.com

neurontin.org

itsmynortheast.com

spotceleb.com

picturenames.com

home-design-ideas.net

www.maorlevi.com

soccermust.com

www.tezeo.com

www.afhussey.co.uk

www.medcates.com

edhardypro.com

latest-business.com

medica-now.com

bopabikers.com

www.collectionbuddy.com

celebrityflux.com

www.frantroadclinic.co.uk

www.flowforums.com

fuji.drillspirits.net

unicoinvest.com

www.marasusa-apartments.com

heykessy.com

www.ant-comics.com

goalbite.com

mega-webhosting.net

indianbee.com

steltect.com

www.undercovershadows.co.uk

www.petaworld.com

www.metalcreationsuk.co.uk

www.kidviduk.com

www.xhtmltemplates.eu

www.latestdentalnews.com

www.b4lhost.com

www.youdownload.newdigest.com

www.picturenames.com

www.robertsandson.co.uk

www.hotel-penarth.com

nice-items.com

www.warpdt.co.uk

www.web2design.gr

luxusdesignideas.com

intothenightgames.com

rakebackfulltilt.net

www.somer-solvit.co.uk

www.happypaws.org.mt

blog.atacsolutions.com

www.restorick.co.uk

starmountaingems.com

www.dora-explorer.co.uk

thethird.dk

www.lazertraxx.com

www.textbookwarehouse.co.uk

luxurydecoratingideas.com

celebrity-hub.com

www.costablancawriters.com

furnitureinteriorideas.com

marckerstein.com

www.yesbluff.com

www.lazytown-mall.co.uk

www.miditracks.co.uk

www.blitzkrieg.biz

www.londoncognitivetherapy.co.uk

homefurnituredesignideas.com

lokovita.net

www.zariex.com

agniveer.org

www.airsender.com

tfroc.net

www.webio.ro

www.sunpoker.biz

gaff.tv

www.tank-engine-thomas.co.uk

www.unlockworks.com

ethnologe.com

www.800-number.net

www.worldcup2010store.info

emailfaxphone.net

popconreality.com

www.roadbangkok.com

www.heathfieldscaffolding.co.uk

joaoluis.eu

www.venteasperge-france.com

fingerspace.co.uk

ruta47.com

bawal.com

photoblog.robbysmets.be

mikehillier.com

davidecanali.com

imillardplumbingandheating.co.uk

www.bestnewspaper.info

www.meddling-kids.co.uk

pinballroulette.org.uk

simsgalerie.com

www.simcookie.com

www.paintedcakes.net

juxtaposing.com

www.freetv-home.co.uk

satori.juxtaposing.com

www.prcboardexamresultsph.com

dmr.juxtaposing.com

www.fuelbillslashed.com

www.rethymnonhotels.eu

blog.mikehillier.com

www.ink-cartridge-mall.co.uk

leadership-qualities.net

restarick.org

www.amigaf1.co.uk

siberian-larch.com

www.manilastars.com

www.forum-camioane.com

www.lovedogmusic.co.uk

www.charlie-lola.co.uk

www.simonatomarchio.net

www.senshinkai.net

www.hotels2mykonos.com

www.promeco.dk

www.shadowsradio.co.uk

drillspirits.net

www.stp.ee

uhl.juxtaposing.com

cd.juxtaposing.com

www.bestread.info

www.toll-free-numbers.org

www.informationaboutcaves.net

www.handheldgpsuk.co.cc

www.toys-4-tots.co.uk

www.deepfryershop.co.uk

www.rukino-blog.info

www.edgarcollection.com

www.yoga-mall.co.uk

www.coachhandbags.eu

www.silverprice24.info

jointproblemsdogs.com

www.cheapheadphonesuk.co.cc

www.olgartrujillo.com

comics-home.com

www.dominikfejer.com

forum.popconreality.com

applicationinterface.net

house-infrance-for-sale.com

www.indeicy-sewernoiameriki.info

some.randomhash.net

ucl.juxtaposing.com

premiumthemewordpress.net

www.getyourlogo.in

www.kontiki-bonaire.com

www.acetrategic.com

otakucy.com

pvrbugs.futaura.co.uk

www.wegdromen.be

homeluxurydesign.net

www.filmy-vam.info

photo.greenfox.ro

worldwidebarguide.com

allmovieplace.com

kero-pics.com

vpsforscrapebox.com

www.demerdzhi.info

farumkyokushin.dk

the6o.com

www.genrih-muller.info

Share this post


Link to post
Share on other sites

There's actually over 350 using that IP at present .....

Your analogy is also invalid

As for giving you the evidence, you can have it once it is collated and re-verified and not before then.

Share this post


Link to post
Share on other sites

Here is evidence that you have never contacted Downtownhost (who is directly responsible for managing server related to IP address 91.215.158.80).:

---------------------------------------------------

Hello ...,

There is no issue with 91.215.158.80 and no other customer complaint about IP blockage yet.

Our data center have very restrict policy for abuse issues. If possible please tell them to send us "sheer volume of abuse logs" at support@downtownhost.com and we will take care of it.

Kind Regards,

Scott Pates

Downtownhost

Share this post


Link to post
Share on other sites

Of course (funny how most associated with blackhats tend to say the same thing .....- sadly you'll find the DC knows otherwise, I've been working with them for quite some time now)

And little hint: trying to insult the person working on this is just going to get you ignored.

As an aside by the way, I don't know what your connection to the IP is, but lovely tidbit for you - whilst downtownhost.com cleaned one of the files on the site housing the exploit, he didn't clean it properly, which left at least 2 other files still housing exploit code. He was sent another e-mail about this earlier.

Share this post


Link to post
Share on other sites
whilst downtownhost.com cleaned one of the files on the site housing the exploit, he didn't clean it properly, which left at least 2 other files still housing exploit code. He was sent another e-mail about this earlie

The last information that i have is that all the malware files are cleaned now. Can you confirm it and wonder when you gonna to release the blockade of IP address 91.215.158.80.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.