Jump to content

Problems with IP protection


smount
 Share

Recommended Posts

Hi,

Malwarebytes IP protection is blocking my web sites.

The problem is that my sites are hosted by BlueHost, which uses a shared IP address.

http://domainbyip.com/69.89.31.61/ lists 142 sites, none of which are mine. I have 28 domains with them, so there are probably hundreds of sites sharing that address.

I understand the simplicity of blocking by IP address, but isn't it possible to block by domain name?

What can be done? I want my sites to be accessible.

Steve Mount

My email to support:

-------------------------

This is a false positive IP malware report, but it's a bit complicated.

I cannot get to any of my own sites when Malware IP protection is on.

The IP address is 69.89.31.61

I have many sites (28); among them are:

geneinfosite.com (main)

stevemount.info (commonly used)

symmetryspace.org

ifdiet.info

spliceport.org

I see no indication that these sites have been hacked, and I certainly didn't put any malware there. I don't even have ads (a couple of the sites have a Google gadget).

Here is the complication:

This is a shared IP address run by Bluehost.

I am contacting them separately.

Can you tell me what sites are responsible for labeling this IP address as Malware?

Shared Ip Address 69.89.31.61

I am contacting BlueHost. I understand that one of their other customers, perhaps someone with the same shared IP address, may be running Malware. Is there a way to "whitelist" certain domains (I can give you the full list of 28 domains)? I suspect not. Is there a way to address this through BlueHost?

I want my sites back!

Link to post
Share on other sites

I got more information from the other thread (about GoDaddy shared site 64.202.189.170).

In particular http://hosts-file.net/?s=69.89.31.610&view=matches shows that there are two malicious sites sharing this IP (addresses disabled to stop anyone going there in error).

propertydictionary [dot] com

spywareadwareremovalsoftwareonline [dot] com

spywarenotice [dot] com

So, I am indeed sharing an IP address with listed malware.

I will inform BlueHost. I hope that this can be fixed quickly.

Link to post
Share on other sites

I spoke with BlueHost using their chat function and bought a dedicated IP address for $50 (19 months). It should be up and running within a day or two (actually, it's up and running now, at Dedicated Ip Address 69.89.17.250, but it will be a while before that address gets propagated and used).

A dedicated IP address appears to be the only solution, which is too bad, because this is a common situation for small web sites. I thought that I would share the end of my chat with Chad:

Steve Mount [12:33:26 PM]: OK, and on your end

[12:33:30 PM]: This is a problem.

[12:33:41 PM]: People will either have to all buy a dedicated IP

[12:33:59 PM]: or have sites that are increasingly inaccessible.

[12:34:13 PM]: It's not just Malwarebytes.

[12:34:25 PM]: Microsoft/Bing is introducing malware blocking.

Chad [12:35:46 PM]: While I understand what you're talking about, this is not something we're responsible. We cannot and will not police all content that everybody uploads to their account. The way our user architecture is set up it's impossible for one user's site to effect anothers', cross-account. So even if there are other sites that are hacked, they won't effect yours. It's a poor way of reporting a hacked site on the part of Malwarebytes, as it purposely singles out Shared Hosts that operate the same way we do. We're not unique in this position; Just about every shared (Not slice/VPS) host has 1 IP per hundreds (or thousands) of domains per server, with the option to have your own IP at an additional cost.

[12:36:29 PM]: So while we're aware it can cause problems, it's not something we have a whole lot (or any) control over

Steve Mount [12:36:58 PM]: Your terms of service allow you to shut down someone who posts malware. I know because I read them.

Chad [12:37:05 PM]: The only "solutions" we'd have would be to offer private IP's to every host--Which costs an extravagant amount of money, therefore driving the cost of hosting up, or to police every account for hacked content.

[12:37:12 PM]: And we do, if it's brought to our attention.

Steve Mount [12:37:24 PM]: but I understand.

Chad [12:37:34 PM]: Oftentimes malware that's uploaded is not purposely placed by the user, so we can only react.

Steve Mount [12:37:42 PM]: I know.

[12:37:46 PM]: These are all good points.

[12:38:04 PM]: it's too bad. The internet is getting less free all of the time.

Chad [12:38:17 PM]: It really is.

Steve Mount [12:38:21 PM]: Thanks for your help. You've been very helpful.

Chad [12:38:25 PM]: No problem. If you have any other questions, let us know. Have a great day. Bye!

Finally, readers of this forum might be interested in their advice for avoiding hackers that install malware. Some of this is specific to Bluehost.

[12:32:40 PM]: It's probably a good idea to make sure your site is secure nonetheless.

[12:32:47 PM]: Hackers can gain access to your account through various methods. I am not a hacker, so I cannot explain exactly how you were compromised--However, I do recommend doing the following:

[12:32:48 PM]: 1) Fix your permissions. Set configuration files to 440 or 444, all other files to 644, and all folders to 755. (Please note these may not work for all scripts. Adjust accordingly.)

[12:32:49 PM]: 2) Update your installed applications and scripts. Old software is a very common point of entry. If you installed software using our installers Fantastico or Simplescripts, you can check for and apply the latest avaialble revision from there.

[12:32:49 PM]: 3) Uninstall any old or unused script. Even though it may not have a link to it on your page, it can still be used against you.

[12:32:50 PM]: 4) Disable "register_globals = On" in your php.ini files by changing the "On" variable to "Off." In addition to that, it may be a good idea to also disable "Display_errors = " by changing the variable to "Off." (Please note that some scripts require these settings. Adjust at your own risk.)

[12:32:51 PM]: 5) Delete any php information files you may have created. This gives hackers an abundance of information that can be used against you.

[12:32:51 PM]: 6) Check your pages for unknown "<script></script>" tags and "<iframe></iframe>" tags. These are commonly injected to redirect your files to other pages or to run malicious code.

[12:32:51 PM]: 7)

[12:32:53 PM]: Check your folders for files with suspicious names, like "xx.php," "r78.php," "c99.php," etc. Generally these pages will have self-identifying code in them that will make it very obvious they're for hacking. To view code source, use your File Manager tool in CPanel; right-click and select "view" within the File Manager to check a files' code.

[12:32:54 PM]: 8) Use password protection on sensitive folders, such as admin folders and system folders. To use this protection, go to CPanel > Security > Password Protect Directories.

[12:32:55 PM]: 9) Use your .htaccess to deny access to sensitive folders and files, such as your php.ini files and your configuration files. To deny access to a folder, create a .htaccess file in that folder, and add this to the file's code, without quotes:

[12:32:55 PM]: "order allow,deny

[12:32:55 PM]: deny from all"

[12:32:55 PM]: To protect files, use this syntax:

[12:32:55 PM]: "<files *file-name-here*>

[12:32:55 PM]: order allow,deny

[12:32:55 PM]: deny from all

[12:32:55 PM]: allow from *your IP address*

[12:32:56 PM]: </files>"

[12:32:56 PM]: This should secure your account fairly well. Be sure to contact your developer for his help, and check our helpdesk for keywords "security."

[12:33:15 PM]: It's a canned response, but I did try to can as much useful info as possible, I promise. :angry:

Link to post
Share on other sites

I have to make one more follow-up reply.

The response of Malwarebytes through their support ticket system includes this:

"There is no actual 'infection' and you have not been attacked or targeted. We're working on changing the message in the next version to avoid confusion. The alert indicates that an IP was prevented from loading onto your system."

While that's a useful clarification, it suggests that they still don't "get it." The IP Protection option is blocking valid sites that I would like to visit. My only recourse (other than getting a dedicated IP address, which I could do, since these were my own sites) was to turn off the IP protection. If everyone does that, it serves no purpose. Since an enormous number of sites are hosted by servers such as Bluehost or GoDaddy that use shared IP numbers, blocking malware at the IP number level is not all that useful to Malwarebytes customers. If Malwarebytes wants to provide internet malware protection it's going to have to find an approach that uses domain names (perhaps on the basis of their not being new).

Link to post
Share on other sites

  • Staff
I have to make one more follow-up reply.

The response of Malwarebytes through their support ticket system includes this:

"There is no actual 'infection' and you have not been attacked or targeted. We're working on changing the message in the next version to avoid confusion. The alert indicates that an IP was prevented from loading onto your system."

While that's a useful clarification, it suggests that they still don't "get it." The IP Protection option is blocking valid sites that I would like to visit. My only recourse (other than getting a dedicated IP address, which I could do, since these were my own sites) was to turn off the IP protection. If everyone does that, it serves no purpose. Since an enormous number of sites are hosted by servers such as Bluehost or GoDaddy that use shared IP numbers, blocking malware at the IP number level is not all that useful to Malwarebytes customers. If Malwarebytes wants to provide internet malware protection it's going to have to find an approach that uses domain names (perhaps on the basis of their not being new).

First let me quote the whole reply from support:
There is no actual 'infection' and you have not been attacked or targeted. We're working on changing the message in the next version to avoid confusion. The alert indicates that an IP was prevented from loading onto your system.

Note:

Some sites are cropping up as false\positives' due to a bug in the way XP converts the IPs. A new version to correct this will be out within a week or so.

Please see the link below which contains our FAQ's on this feature for more information:

http://www.malwarebytes.org/forums/index.p...t=0#entry107310

So it explains far more than you allude to. And it's obvious you did not read the link provided in the support ticket.

Had you read that you'd have seen that there are going to be options added to this feature shortly where users can white list or exclude IPs. thereby allowing users to add or remove IPs as they see fit, regardless of what we say and they can take the risk. This boils down to being smart and staying away from known malware IP ranges. It's good to see that you've done the right thing and gotten a dedicated IP, kudos to you for doing that. It shows you're more interested in the people who visit your site than saving a buck.

And the conversation with Bluehost is all too typical of hosts. They love all the money they make from hosting anyone with valid account to take the money, but don't care if they distribute malware in doing so. Akin to a policeman looking the other way and taking money under the table to allow criminal activity to continue and fester. It is directly due to this kind of attitude the Net will continue to be as bad as it is.

It's all about the Benjamin's.

Link to post
Share on other sites

Thanks for your reply. I am pleased that this matter is getting your attention.

Let me reply to yours.

First let me quote the whole reply from support:

So it explains far more than you allude to. And it's obvious you did not read the link provided in the support ticket.

Had you read that you'd have seen that there are going to be options added to this feature shortly where users can white list or exclude IPs. thereby allowing users to add or remove IPs as they see fit, regardless of what we say and they can take the risk. This boils down to being smart and staying away from known malware IP ranges. It's good to see that you've done the right thing and gotten a dedicated IP, kudos to you for doing that. It shows you're more interested in the people who visit your site than saving a buck.

And the conversation with Bluehost is all too typical of hosts. They love all the money they make from hosting anyone with valid account to take the money, but don't care if they distribute malware in doing so. Akin to a policeman looking the other way and taking money under the table to allow criminal activity to continue and fester. It is directly due to this kind of attitude the Net will continue to be as bad as it is.

It's all about the Benjamin's.

I'm not at all sure why you think that I didn't read that post. I realize that I can remove the IP protection. I can (and did) purchase a dedicated IP address. I could also choose not to use Malwarebytes (which is entirely voluntary and worthwhile). I'm looking forward to being able to whitelist individual IP addresses.

What concerns me is that the people that I would like to visit my site are not likely to bother. There are many many people like me who have their sites hosted on shared IPs, and they will suffer from IP-based protection. I wouldn't be so hard on the hosts. They make dedicated IPs available to the customers who want to pay for them, and it's not their appropriate role to police their users (any more than its the job of the telephone company to police threatening phone calls). They do encourage people to keep their accounts secure, and they provide information about how to do that.

Thanks again. I do appreciate your efforts at internet malware protection.

Link to post
Share on other sites

@ TeMerc

If that does what you say it does, blocking I.P`s connecting to your system, then a job well done. But yes i will agree, i reakon alot of users have been getting a little worried, in the way it alerts users.

Looking forward to the update to re-solve that...

Great job guys / girls keep up the good work....

Link to post
Share on other sites

Apologies for taking so long to reply.

With respect to BlueHost, they've been sent several abuse reports over the past 12 months, and every single one of them has been ignored, which is why this range was blacklisted. The domains they need to take down are listed at;

http://hosts-file.net/?s=69.89.31.&view=matches

Given the reply you've posted from them above, I don't see this happening as they claim they "can not and will not" police content? (their servers, their responsibility, regardless of what they claim).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.