Jump to content

41.185.13.55 / www.capewine.co.zw


Sharman

Recommended Posts

Hi

I'm busy investigating a possible false positive for the following site:  41.185.13.55 hxxp://www.capewine.co.zw

Below are the logs from Malwarebytes:

 

Malwarebytes Anti-Malwarewww.

malwarebytes.org Update,

2015-11-16 10:25 AM, SYSTEM, CYBERTECH, Scheduler, IP Database,

2015.11.10.1, 2015.11.13.1, Update,

2015-11-16 10:25 AM, SYSTEM, CYBERTECH, Scheduler, Rootkit Database,

2015.11.13.1, 2015.11.14.1, Update,

2015-11-16 10:25 AM, SYSTEM, CYBERTECH, Scheduler, Remediation Database,

2015.11.10.2, 2015.11.13.1, Update,

2015-11-16 10:25 AM, SYSTEM, CYBERTECH, Scheduler, Domain Database,

2015.11.12.1, 2015.11.16.1, Update,

2015-11-16 10:26 AM, SYSTEM, CYBERTECH, Scheduler, Malware Database,

2015.11.13.4, 2015.11.16.2, Protection,

2015-11-16 10:26 AM, SYSTEM, CYBERTECH, Protection, Refresh, Starting, Protection,

2015-11-16 10:26 AM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Stopping, Protection,

2015-11-16 10:26 AM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Stopped, Protection,

2015-11-16 10:47 AM, SYSTEM, CYBERTECH, Protection, Refresh, Success, Protection,

2015-11-16 10:47 AM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Starting, Protection,

2015-11-16 10:48 AM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Started, Detection,

2015-11-16 10:58 AM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Domain, 41.185.13.124, pop.capewine.co.zw, 56013, Outbound, C:\Program Files\Microsoft Office\Office15\OUTLOOK.EXE, Detection, 2015-11-16 11:14 AM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Domain, 41.185.13.55, capewine.co.zw, 56357, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Detection,

2015-11-16 11:42 AM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Domain, 41.185.13.55, ftp.capewine.co.zw, 56834, Outbound, C:\Program Files\FileZilla FTP Client\filezilla.exe, Detection,

2015-11-16 01:01 PM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Domain, 41.185.13.55, capewine.co.zw, 57689, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Update,

2015-11-16 01:03 PM, SYSTEM, CYBERTECH, Manual, IP Database, 2015.11.13.1, 2015.11.16.1, Protection, 2015-11-16 01:03 PM, SYSTEM, CYBERTECH, Protection, Refresh, Starting, Protection,

2015-11-16 01:03 PM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Stopping, Protection, 2015-11-16 01:03 PM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Stopped, Protection,

2015-11-16 01:04 PM, SYSTEM, CYBERTECH, Protection, Refresh, Success, Protection, 2015-11-16 01:04 PM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Starting, Protection,

2015-11-16 01:04 PM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Started, Detection,

2015-11-16 01:05 PM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Domain, 41.185.13.55, ftp.capewine.co.zw, 57873, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe, Detection,

2015-11-16 01:09 PM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Domain, 41.185.13.55, capewine.co.zw, 59015, Outbound, C:\Program Files (x86)\Internet Explorer\iexplore.exe, Scan,

2015-11-16 01:45 PM, SYSTEM, CYBERTECH, Manual, Start:2015-11-16 01:05 PM, Duration:40 min 41 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections, Detection,

2015-11-16 02:17 PM, SYSTEM, CYBERTECH, Protection, Malicious Website Protection, Domain, 41.185.13.55, capewine.co.zw, 64004, Outbound, C:\Program Files (x86)\Internet Explorer\iexplore.exe,  (end) 

 

The following is what I have investigated together with my ISP: -

- The traffic being blocked looks to be outbound by the logs and to ports ranging from 56xxx to 57xxx.
These look to be the requests that are being sent out from your machine to the web server and from it will be queried to give the needed response.
- Since you are getting the error now on mail, ftp and web, it looks like the domain name itself and not the IP is an issue.
In this event we normally check if the domain name (and thus corresponding IP of the host) is blacklisted.
Checking on MXToolbox, we got the following result:
"Checking capewine.co.zw which resolves to 41.185.13.55 against 102 known blacklists...
Listed 0 times with 0 timeouts"
Thus meaning the site is not blacklisted anywhere.
- Inspecting the website code displayed on the front page did not reveal anything suspicious.
Please note that we are not website developers, so better hidden code will evade us.
- To be sure the IP was not blocked, we tested a few websites and none of them were blocked by Malwarebytes.

The conclusion I can come to after all of this is the following:
- Your website may have been compromised at some stage, but there is a good chance (although not 100% positive) it is not any more.
- The issue may be (or have been) with the database used by the site.
- As I picked up another .co.zw domain owner asking about this while looking on the web, it may be .co.zw related (although I could not find sufficient evidence to support this claim)
- A lot of sites are flagged falsely by Malwarebytes as its good security is also tied to its "better safe than sorry" approach
They have a forum where one can request a delist for the domain or request more information.

Unfortunately this is the only information I could come up with at the moment, as finer detail about exactly why the sites get reported are vague.
No conclusive information is also given and I was unable to find a lookup for Malwarebytes blocks.

 

From the log file there is no indication of exactly what the cause is?

As you can see from the log, it detected a problem in Outlook, Chrome, FileZilla, Firefox and IE.

Because of the Outbound error I ran a scan on my system and Malwarebytes detected nothing. I’m not sure what the number is after the domain in the line entry in the log but am assuming it is either an error code or a port number. 

Is there anywhere else I can check to see why my site is being blocked by MWB?

 

Kind regards

Robin

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.