Jump to content

False positive for Malwarebytes' own ip


Sphinx

Recommended Posts

@ Sphnix

Did you click on the sponsored link?

And that site is most definitely NOT Malwarebytes, as Steven said.

No, I didn't click on it. I originally was getting the ip block on the other ip which I know for certain isn't malicious and as part of my investgative process decided to do a general search on Malwarebytes. As you may be able to see from the screenshot (which the forum script made smaller in dimension), the first link Google lists at the top of sponsored links is the one you've indicated isn't Malwarebytes.

Link to post
Share on other sites

@ Sphinx

Hmm. Did it throw the IP alert when you went to the actual Malwarebytes website?

Also, in the future, please erase what the person before you said when replying, and just write

@ username like I did to address you :) This makes the forum easier to read.

Hmm... I'll let Steven take it from here... I'm not sure what happened then.

Link to post
Share on other sites

Without the IP and domain of the site to which you are referring as originally noticing this on, there is little I can do.

To clarify however, Malwarebytes has one domain - malwarebytes.org. The one you referenced and the IP you referenced, are not legit sites.

Link to post
Share on other sites

To mountaintree16: I don't think so, but not sure now as I've been on long call with registrar re false positive, emails to them and others, including Malwarebytes' support, and my itty bitty brain is fuzzy now on the sequence experienced.

To MysteryFCM: ip was listed in my 1st post: 68.178.232.99. Domain is edavislaw.com, currently parked domain at registrar services server: secureserver.net.

Link to post
Share on other sites

Apologies for missing it. The IP is not actually a false positive, currently housing quite a few malicious domains (with even more across the range);

http://hosts-file.net/?s=68.178.232.99&view=matches

/edit

Neither edavislaw.com or www.edavislaw.com are currently resolving for me at all.

Link to post
Share on other sites

Not sure what you mean. Going to edavislaw.com, Malwarebytes pops up ip block for malicious ip.

Domain and ip resolving fine for me, the registrar and a consultant, so no idea why it wouldn't resolve for you.

What does the link site tell us pertaining to subject ip and/or domain?

Link to post
Share on other sites

To clarify, in this case, we aren't blocking the entire range, only those IP's affected.

As far as the domain, your still being able to resolve it is likely due to DNS caching, as the other sources I've checked, can't resolve it either. For example;

http://web-sniffer.net/?url=http%3A%2F%2Fe...e=GET&uak=0

As far as the hosts-file.net link I posted previously, it simply tells you the known malicious content we're currently aware of as residing at the IP and the neighbouring IP's.

Link to post
Share on other sites

@ Sphinx

Thanks for answering me :)

Hmm, I am not sure whats going on here, I can't be of any further help unfortunately. Looks like you and Steven are figuring it out together :)

Link to post
Share on other sites

Just confirmed this with my own WhoIs server;

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for "EDAVISLAW.COM".
>>> Last update of whois database: Sat, 19 Sep 2009 21:20:42 UTC <<<

Link to post
Share on other sites

WHAAAAT???????

INTERNIC.NET REPORTS:

http://reports.internic.net/cgi/whois?whoi...amp;type=domain

Domain Name: EDAVISLAW.NET

Registrar: WILD WEST DOMAINS, INC.

Whois Server: whois.wildwestdomains.com

Referral URL: http://www.wildwestdomains.com

Name Server: NS25.DOMAINCONTROL.COM

Name Server: NS26.DOMAINCONTROL.COM

Status: clientDeleteProhibited

Status: clientRenewProhibited

Status: clientTransferProhibited

Status: clientUpdateProhibited

Updated Date: 19-aug-2009

Creation Date: 19-aug-2009

Expiration Date: 19-aug-2014

Link to post
Share on other sites

No problem, but given it's parked, I'm a little confused as to what the issue is? (alot of parking servers are leading to malicious domains, which is why some of them are blocked, but I'm confused as to why this would be a problem given the domain isn't actually in use anyway?)

Link to post
Share on other sites

A "parking" server is supposed to be used as a temporary holding page for an unused domain. For example;

http://hollmen.it-mate.co.uk

Sadly, alot of parking servers now, especially information.com et al, stick as many adverts on the "parked" domains as possible, and never bother filtering where the links will take the victim to - 99% of the time, the link will lead to either phishing scams, fake meds, rogues, or malware.

Link to post
Share on other sites

It's only parked until it's web design is complete, and having no access to the edavislaw.net site because it's being blocked as a malicious ip site when it's not is disturbing.

Parked means the domain resolves to the registrar's server parking ip for a domain (a temporary hold page is displayed using the edavislaw.net domain name address).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.