Jump to content
NozHost

False Positive - 199.19.105.72

Recommended Posts

Hello,

My customers have reported my IP (199.19.105.72) being blocked by you guys.

This IP is my shared cPanel server, it contains no malware. I have checked myself. Please remove block asap.

Thank you.

Share this post


Link to post
Share on other sites

Having been following your IPs and customers for quite some time, I happen to know that is rubbish I'm afraid. Your customers are primarily into malware, drive-by's and phishing etc, and given you are actively supporting this, you're fully aware of this. Because of this, the block on your IPs are not going to be removed.

Share this post


Link to post
Share on other sites

Hello Steven,

Firstly let me just confirm Noz LTD does not condone, support or encourage the distribution of malware. We state this in our terms that customers must agree to upon signup.

Please email me where you believe there this malware on this IP. I perform daily searches for malicious tools and do not tolerate it on any of my nodes.

Regards,

Steven Norris

admin [@] nozhost.com

Share this post


Link to post
Share on other sites

Having it in your ToS doesn't make it so.

As far as this IP, an example would be this little chap, which uses a Java drive-by to install a trojan via dropbox.com;

runescape-tv.com

As I said - I've been following both you and your customers for quite some time, so am very familiar with what they get up to, and the fact it keeps happening, coupled with your proferring it to those on hackforums.net, shows you're actively supporting it (I believe Ecatel and Burst spoke to you about this numerous times, which is why you moved to Voxility and Volumedrive).

Share this post


Link to post
Share on other sites

Hello Steven,

Noz LTD is a legitimate registered business. I consider your claims we support this content to be offensive and libelous.

Regardless of where my hosting is advertised, we do not allow this content and the amount of abusing users is tiny compared to the amount of domains we host. Noz LTD hosts thousands of websites over hundreds of IP's and you have so far given me 1 abusing domain that is a threat, and the actual threat isn't hosted by us. Is DropBox listed in your block list? We can't monitor every single individually, but we act on any complaints we receive, and perform daily scans for abusing accounts.

We are still using both Ecatel and Burst without any issues, so i don't know where you have received this wrong information. We moved both servers because we are growing rapidly and needed more resources.

Every web host gets abusing clients, i don't think this should lead to my IP's being blocked by your software.

Please remove the IP's from your database.

Regards,

Steven Norris

Noz LTD

Share this post


Link to post
Share on other sites

My information regarding Ecatel, came directly from Ecatel themselves.

We will not renew our contract with Nozhost (it is on Monthly basis). End date is Jan/13/2012

Until the contract ends we must keep blocking ips if they dont solve the cases after our request.

Were they lying to me?

As for the IP, yes, I supplied one domain as an example, the fact the executable is on a different domain is irrelevant - you're hosting the drive-by, and have continued to host those, along with fake AVs (e.g. online-virus-scanner.com a few days ago) and exploits (e.g. imviolence.info, which I had suspended on the 7th, which replaced mysticalnet.info, which I had suspended on the 3rd) for as long as I've been monitoring you. Not much point in supplying examples of the domains I've had suspended. An example of a semi-live site;

hxxp://pro-bot.info

-> hxxp://pro-bot.info/content.php

I say "semi live" because whilst the rest of it is still there, the executable has magically disappeared.

To make matters worse, the IP you mentioned is also being shared with other unsavoury hosts such as Spetznaz.

As far as my comment on your supporting such behaviour, as others have noted, the reason we can say such, is because you're primarily advertising to those such as hackforums.net users - people well known for malicious activity.

And yes, I'm already aware of your use of other networks.

As far as "Regardless of where my hosting is advertised", you know full well that advertising on such places, will attract unsavoury characters, and tends to lead to the hosting being used for malicious purposes. Your customers use of CloudFlare doesn't stop it tracing back to the IPs you're using.

As far as unblocking the IP, because of the history of your IPs and customers, the IP isn't going to be unblocked any time soon. However, I'll go through them all and get you a list of all live cases.

Share this post


Link to post
Share on other sites

Hi,

I am large member of Hackforums , I do browse the hosting section a lot. I don't see how you except a host to suspend accounts that are hosting illegal / malware things if no report is sent directly to them.

I think you should email them as i have emailed Steven a few times about runescape phishing emails and i have gotten a reply within a maximum of 12 hours with a response saying one of two things.

1) Already suspended.

2) We have suspended this account due to your report and thank you for the time in sending us your report.

I Believe Steven does hes best to get out malware as per his terms of service which i think are good.

I believe other hosts on Hack forums host more **** and get away with this. Please do send me a email Steven Burn on my signed up email for my input on issues.

Thanks,

Jack.

Share this post


Link to post
Share on other sites

In most cases, an e-mail is sent to the host responsible. However, in this case, and I presume you're referring to Nozhost, I stopped sending them to Nozhost themselves not long after coming across them as reports went unanswered and ignored, instead, reports were sent to the AS owners.

He knows full well, as long as he actively promotes his hosting to the likes of hackforums.net users, he's going to have more issues on the whole, than hosts that don't. I'm not going to debate whether he should be promoting to them or not, he already knows the answer to that.

As for the other hosts on HF, they're getting away with nothing - Nozhost isn't the only one I monitor, and isn't the only one whose customers I've had domains taken away from.

As already mentioned, I'm going through everything on Nozhost and will be sending a list of the active issues (note this isn't the only case I'm working on, so please be patient).

Share this post


Link to post
Share on other sites

Hello Steven,

My contract my Ecatel is still active and i haven't had contact them for over a month, even reports. http://image-share.me/di-AYKG.png

So far, you have given me two sites that are actually live and have 'slipped through the net'.

One of them, my server's didn't host the actual threat (We can argue about this all day but you and i both know the actual threat isn't on my server), and another doesn't contain any threat to the browsing general public. I feel as if i'm being made a 'scapegoat' because i'm a small business that can do nothing about it. This wouldn't happen to bigger hosts such as Hostgator etc. As you have already said i immediately suspended all offending domains as soon as i received a report. What more can a responsible host do?

For your information, we don't primarily host on HackForums, this is just one of over 100 forums and websites we advertise on. Only a tiny portion of our business originates from HackForums. Also no malicious activity originates from HackForums, this is a computer security enthusiast site, i believe the owner has already spoken to you about this matter.

I would like to get this issue sorted quickly and would love a list of any active abuse cases on my server, i assure you they will be dealt with promptly.

While i'm here, may i ask why you didn't just report the cases immediately for me to suspend, rather than punishing the rest of my paying legitimate customers by blocking their visitors. Don't they say 'prevention is better than cure' ie. wouldn't it be better for you to tell me the malicious accounts rather than blocking them with your software? This would be the more responsible thing to do in my opinion anyway.

Failing everything i just said doesn't get you to realize that i'm actually a responsible service provider, i welcome you to monitor my services in the near future with a hope of you seeing less abuse originating from my servers and a quicker resolution time. If you do come across any abuse, please do tell me, i will act upon any complaints i receive.

My email for abuse reports is abuse [@] nozhost.com, i assure you anything sent their will be rectified well within 24 hours.

Respectfully yours,

Steven Norris

Noz LTD

Share this post


Link to post
Share on other sites

I'll have to have a word with Ecatel as that's contrary to what they advised me.

As mentioned above, I tried e-mailing several times when I first came across your IPs, and there wasn't a single response, which is why reports were sent to the AS owners (e.g. Ecatel).

As for the block, as mentioned previously, I'm going through your IPs and will send you a list of the active issues.

As for "We can argue about this all day but you and i both know the actual threat isn't on my server" - the drive-by was on YOUR server, the fact the payload was elsewhere is irrelevant (good to see it suspended now).

Share this post


Link to post
Share on other sites

Hello Steven,

I think Ecatel may have reconsidered after no reports for over 1 month. Please don't bother them about my account, it will do no one any favours.

Regards,

Steven Norris

Noz LTD

Share this post


Link to post
Share on other sites

To the moderators of this forum. This IP is home to one of the largest RunScape phishing services. Mass amounts of phishing emails are sent from this server (plus a few others by the same host) to hundreds of thousands of RuneScape players.

Edited by TeMerc
Images and links removed to prevent users from cicking.

Share this post


Link to post
Share on other sites

I'm fully aware of the situation, but thank you.

Share this post


Link to post
Share on other sites

Actually no, he isn't. One of the domains he mentioned for example, is dedicated to phishing.

Feel free to send the IPs along however.

Share this post


Link to post
Share on other sites

To the moderators of this forum. This IP is home to one of the largest RunScape phishing services. Mass amounts of phishing emails are sent from this server (plus a few others by the same host) to hundreds of thousands of RuneScape players.

Hundreds of thousands really. GTFO.

Share this post


Link to post
Share on other sites

Actually no, he isn't. One of the domains he mentioned for example, is dedicated to phishing.

Feel free to send the IPs along however.

Please send me the domains he mentioned.

Share this post


Link to post
Share on other sites

He's referring to fish.in.rs, and is correct. This domain is dedicated to phishing (indeed, it advertises itself as "fully managed phishing system").

Just for kicks n giggles;

http://fish.in.rs/images/prices.png
http://pelicandemo.netai.net/

Share this post


Link to post
Share on other sites

PING pelicandemo.netai.net (31.170.161.116): 56 data bytes

64 bytes from 31.170.161.116: icmp_seq=0 ttl=54 time=113.417 ms

64 bytes from 31.170.161.116: icmp_seq=1 ttl=54 time=116.635 ms

64 bytes from 31.170.161.116: icmp_seq=2 ttl=54 time=113.710 ms

--- pelicandemo.netai.net ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss

round-trip min/avg/max/stddev = 113.417/114.587/116.635/1.453 ms

Not my server just for 'kicks and giggles'

Share this post


Link to post
Share on other sites

Never said that one was ;)

Share this post


Link to post
Share on other sites

Your involvement in Runescape "stealers" has alot to do with it.

Share this post


Link to post
Share on other sites

Hello,

My site is a website which gives there users a better understand of how malware and hacking works. In no way do we distribute malware i dont understand why you blacklisted my ip when i have a small section which talks about runescape hacking which is pathetic.

Regards

Share this post


Link to post
Share on other sites

I'm not new to this game I'm afraid - I've been following your website for over a year ;)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.